2

Sorry for my stupid question. But I really want to know what is gonna happen..

I have a webservice hosted over the http protocol.

I wanna buy an SSL certificate to have my webservice hosting with the https protocol...

Problem is, I have an Android application that is already connected to the web service (the web services is in my hosting with http).

The question is: if I buy an SSL certificate and my hosting pass from HTTP to HTTPS, will I have to change my java code? It will try to change the connect to my server at http://hosting.esy.es/action.php to https://hosting.esy.es/action.php when the app try to connect to http by default the server redirect to https?

Because this makes me to change al my http to https in my java code. If i don't have to change in my code because automatically redirect to https, I already have security pipe?

Thanks for understand me!

Improve this question
0

3 Answers 3

Reset to default
3

If you enable SSL/TLS on the server side, the client has to be able to "speak SSL/TLS" too. Otherwise, the connection will end up being reset.

Just changing a web-service to use "https" does not auto-magically change all applications communication encrypted. This is a shared protocol. If I suddenly goes speaking French but you only understand English, communication won't happen. This goes the same way for TLS.

If you enable TLS server side, you will have to modify you apps so that they can also use TLS. Fortunately for you, java has the means to deal easily with TLS using some already defined classes. Just look it up.

On the other hand, you can provide both TLS/SSl enabled traffic for the web (https url) and leave the simple http open as well. So that you can have your website using TLS and your app HTTP only. Then you can proceed to migrate your app over TLS before shutting down your HTTP only channel.

Improve this answer
1

If you configure the server to redirect HTTP to HTTPS, you shouldn't need to modify the application code whatsoever (assuming it will follow a redirect).

However, when the request is first made, it will not be encrypted. An attacker could man-in-the-middle or passively sniff the connection in order to read request data or even prevent it from redirecting to HTTPS. The best solution is to make the change now, and begin rolling out new application code that points only to HTTPS.

Improve this answer
3
  • The attack you describe is commonly known as SSLStrip Commented Apr 15, 2016 at 11:17
  • While SSLStrip is one example, it is not the only possibility here. Commented Apr 15, 2016 at 16:16
  • 1
    Note that Java will not follow a redirect from HTTP to HTTPS. From the actual bug report: ... It's the application's responsibility to follow the redirect. Commented Apr 15, 2016 at 18:07
0

Just because you add https to your web server does not mean that you have to remove http. For example, this very page is available both over http, and over https.

While it's certainly a good idea to migrate your Android app to use https, you don't have to do it right away: offer both!

Improve this answer
2
  • If I not change my java code, and the code send http request and my hosting already have https, Shall I have my request encrypted? This is the important think: Ok i'm not gonna change my java code and I still have GET and POST request with http but this automatically encrypted if I have my web services with SSL? Commented Apr 15, 2016 at 1:57
  • Why does it have to be one or the other? Why can't you configure your webserver to accept both http (unencrypted) and https (encrypted)? Your existing java code will continue to request the unencrypted http. If you want your java code to be requesting https, then you may have to modify the code (go look in the Android docs, I'm sure you'll find your answer there). Commented Apr 15, 2016 at 2:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.