Why just blocking port 80 won’t help you

We know HTTP is insecure since across the web IANA’s assigned port list is used by default which says port 80 should be used for HTTP traffic, but it’s not that you cannot run anything else which is “non-standard” in port 80.

Anyways, coming to point you could be running HTTP server on any port 80, 8080, 8090 whatever, HTTP protocol by design is left insecure. Since we cannot change the standard 80 usage everywhere (IPv6 is still on way even after decades) there are multiple remediations that can be used to avoid common challenges with HTTP.

  1. Instead of serving anything on port 80/HTTP, use it solely for redirecting to correct HTTPs/443. As recommended by cio.gov, letsencrypt
  2. Enforce HSTS Policy on your domain, by nature it will be effective only when your domain is access by the client once. if you don’t know what HSTS is, it is just a HTTP header that tells browser to always open website in HTTPS.
  3. Blocking or disabling doesn’t make your server any secure, in fact it makes things worse.
    1. There is still an open opportunity of MITM attack. The flaw is in protocol not in the implementation of HTTP, which is why anyone can sniff and serve you alternate content, even if you have port blocked in server.
    2. You will make things worse for your users, they won’t be able to access your website as normally they would.
    3. if you serve HSTS headers over HTTP, at least HSTS will be enforced on one hand.
    4. Everywhere you have to type HTTPS, which people don’t do, it is a painful thing to enforce.
  4. It is not about 80, it is more about not using HTTP anywhere, if you have other ports that serve content over HTTP it is still an issue!

Leave a Reply

Your email address will not be published.