Wireshark-dev: Re: [Wireshark-dev] un-encrypted traffic over port 443
From: John Sullivan <[email protected]>
Date: Mon, 30 Jun 2014 00:04:48 +0100
On Sunday, June 29, 2014, 12:43:39 PM, Toralf Förster wrote:
> /mew wonders if wireshark should print a warning if a http traffic goes
> over port 443 (eg a TRAC temporarily configured at that port instead of
> 80) but is not encrypted, currently those packets are marked as "SSL"
> but they aren't secure.

Note that I believe Apache's (and other servers', no doubt) normal
behaviour is to auto-detect whether the client is speaking plain HTTP
or TLS, and back off to plain HTTP over port 443, *BUT* to deliver 400
Bad Request responses to any attempt to do so.

So there are actually two different thing you might want to be aware
of here:

1) Clients wrongly attempting plain HTTP over the TLS port, which is
solely a client issue. It may be a buggy client, a mis-written
webpage/link delivered by other means which specifies the wrong port,
or it could be a malicious attempt to access normal protected services
unencrypted. This would be true even if the server protects itself and
always refuses service. The server operator may not have much control
over this, and it might be quite noisy.

2) Servers actually allowing unencrypted service over that port, which
is likely a rather more serious issue and usually deserves to be
squashed with extreme prejudice.

Dead stars still burn