70882

.htaccess not preventing a “This Connection is Untrusted” warning

Have hosting account with an addon domain. Directory structure is as follows:

/public_html (main site is hosted in this directory) /public_html/secondary_site/ (secondary site is hosted in this directory.

I am using the following .htaccess file in the public_html folder (and no .htaccess file in the secondary_site folder):

RewriteEngine On # BEGIN Domain to folder mapping # pointing HTTPS secondarysite.com to https://primarysite.com/secondarysite/ RewriteCond %{SERVER_PORT} ^443$ ReWriteCond %{HTTP_HOST} primarysite.com ReWriteCond %{REQUEST_URI} !primarysite/ ReWriteRule ^(.*)$ https://primarysite.com/secondarysite/$1 [L] # pointing HTTP secondarysite.com to http://primarysite.com/secondarysite/ RewriteCond %{SERVER_PORT} ^80$ ReWriteCond %{HTTP_HOST} secondarysite.com ReWriteCond %{REQUEST_URI} !secondarysite/ ReWriteRule ^(.*)$ http://primarysite.com/secondarysite/$1 [L] # END Domain to folder mapping

The second rule works fine for non-secure connections, it correctly forwards to the public_html/secondary_site directory.

However when I try to securely connect to secondarysite.com I am greeted with the warning page stating:

You attempted to reach secondarysite.com, but instead you actually reached a server identifying itself as primarysite.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of secondarysite.com.

If I click on the "I understand, proceed" button, it then takes me to the correct, SSL secured directory of public_html/secondary_site. The SSL lock is green and happy.

Why is this .htaccess file not catching requests for secondarysite and re-writing them to the primarysite structure before it has a chance to throw a fit about a bad certificate due to domains not matching?

Answer1:

(This is more or less the same problem as in this question, so I'll adapt my own answer from there.)

HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite, custom PHP code or other) will always apply after the SSL/TLS connection is established.

Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.

If you want to redirect from https://secondarysite.com to https://primarysite.com, the certificate obtained for https://secondarysite.com must be valid for secondarysite.com (and then, the certificate obtained for https://primarysite.com must be valid for primarysite.com).

(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but not all clients would necessarily support it.)

The easiest would be to obtain a certificate that's valid for both secondarysite.com and primarysite.com. This can be done using a single certificate with multiple Subject Alternative Name entries.

Recommend

  • Using qemu monitor with the android emulator
  • Invariant Violation: Text strings must be rendered within a component
  • PHP/Wordpress Session Configuration
  • How should I encrypt my data in a PHP application?
  • kendoui grid in mvc3 security vulnerability, how do i get around it?
  • How to configure OpenSSL in a secure way for HTTPS?
  • Android - Enabling and Disabling Bluetooth - SDK 3 (OS 1.5) - programatically?
  • how do i unzip stream while reading it in c# [closed]
  • PayPal vault storage - sending credit card info securely
  • Creating a checkmark inside a Pickerview [duplicate]
  • Casting float to string without scientific notation
  • Xcode compile error on bool when device not connected
  • Sharing custom code between two NodeJS microservices
  • Embedding an OpenXML document within another OpenXml document
  • Form Post with enctype = “multipart/form-data” causing parameters to not get passed
  • Generate list with conditional items
  • How to add specific media query rule when media query combined
  • reduce/reduce conflicts using ocamlyacc
  • Fixed Background Works in Chrome but Not Firefox?
  • Zeromq with python hangs if connecting to invalid socket
  • F#: In which memory area is the continuation stored: stack or heap?
  • Dynamically switching connect in Modelica
  • ASP.NET MVC Application won't update some controllers
  • Multicolored edittext hint
  • nonblocking BIO_do_connect blocked when there is no internet connected
  • Redux Form - Not able to type anything in input
  • Apache RewriteRule redirection with url encoded
  • How solve “Qt: Untested Windows version 10.0 detected!”
  • C: Incompatible pointer type initializing
  • Get history of file changes from TFS to implement custom “blame”-behaviour of exceptions
  • How can I sort a a table with VBA with given text condition?
  • All Classes Conforming to Protocol Inherit Default Implementation
  • htaccess rewriting URLs with multiple forward slashes
  • Display Images one by one with next and previous functionality
  • Web-crawler for facebook in python
  • Function pointer “assignment from incompatible pointer type” only when using vararg ellipsis
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • PHP: When would you need the self:: keyword?
  • A cron job substitute?
  • CSS Applying specific rule for a specific monitor resolution with only CSS is posible?