HTTP Strict Transport Security

Post a reply

Confirmation code
Enter the code exactly as it appears. All letters are case insensitive.
Smilies
:points: :-D :eyeroll: :neutral: :nmr: :razz: :raging: :-) ;) :( :sick: :o :? 8-) :x :shock: :lol: :cry: :evil: :?: :smirk: :!:
View more smilies

BBCode is ON
[img] is ON
[flash] is OFF
[url] is OFF
Smilies are ON

Topic review
   

If you wish to attach one or more files enter the details below.

Expand view Topic review: HTTP Strict Transport Security

Re: HTTP Strict Transport Security

by orathaic » Wed May 01, 2019 6:50 pm

Polycarp_of_Smyrna wrote:
Thu Apr 25, 2019 12:48 pm
Peregrine Falcon wrote:
Thu Apr 25, 2019 4:05 am
webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.
That is not necessarily secure. It is still susceptible to downgrade attacks (forcing https to unsecured http). If HSTS is implemented, compliant (essentially all) browsers will refuse to connect if a https connection is not established.
Note that this has the potential drawback of no one being able to use the site if the certificate lapses until it is renewed.
I was looking at let's encrypt recently, if you have a host which supports it, you can have it automatically refresh your certs. And it being free is a good plus.

Not sure about the host support though. My host may have sketchy support.

Re: HTTP Strict Transport Security

by flash2015 » Thu Apr 25, 2019 1:32 pm

Chaqa wrote:
Thu Apr 25, 2019 11:34 am
I always have an issue where links some people post log me out of the site. Is it related?
Yes. You were probably logged in with webdiplomacy.net and then clicked a link to www.webdiplomacy.net. The login cookies are currently not shared between these domains.

Re: HTTP Strict Transport Security

by Polycarp_of_Smyrna » Thu Apr 25, 2019 12:48 pm

Peregrine Falcon wrote:
Thu Apr 25, 2019 4:05 am
webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.
That is not necessarily secure. It is still susceptible to downgrade attacks (forcing https to unsecured http). If HSTS is implemented, compliant (essentially all) browsers will refuse to connect if a https connection is not established.
Note that this has the potential drawback of no one being able to use the site if the certificate lapses until it is renewed.

Re: HTTP Strict Transport Security

by Chaqa » Thu Apr 25, 2019 11:34 am

I always have an issue where links some people post log me out of the site. Is it related?

Re: HTTP Strict Transport Security

by jmo1121109 » Thu Apr 25, 2019 4:18 am

^that

Re: HTTP Strict Transport Security

by Peregrine Falcon » Thu Apr 25, 2019 4:05 am

webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.

Re: HTTP Strict Transport Security

by Polycarp_of_Smyrna » Thu Apr 25, 2019 2:42 am

flash2015 wrote:
Wed Apr 24, 2019 8:46 pm
Polycarp_of_Smyrna wrote:
Wed Apr 24, 2019 6:45 pm
BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.
It is a plugin that effectively does URL rewriting in the client to change http to the corresponding https URL where server side techniques to switch to https (like HSTS) are not supported. The http-https mappings are defined in a set of rules which are loaded by the client web browser. Both Firefox and Chrome are supported. It is free and open source and is intended for use by everyone that wants to be more secure on the web. EFF also has other plugins/tools to provide more security on the web like PrivacyBadger...which is a bit like Ghostery.
That is what I expected. However I do not think that it is a good solution. If I learned anything in my computer security course (besides that hashing is not encryption), it is that security should not be left to individual users, it needs to be standardized from the central source. I believe that it would be better for webDiplomacy to implement HSTS than to rely on users to manage their own security.

Re: HTTP Strict Transport Security

by flash2015 » Wed Apr 24, 2019 8:46 pm

Polycarp_of_Smyrna wrote:
Wed Apr 24, 2019 6:45 pm
BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.
It is a plugin that effectively does URL rewriting in the client to change http to the corresponding https URL where server side techniques to switch to https (like HSTS) are not supported. The http-https mappings are defined in a set of rules which are loaded by the client web browser. Both Firefox and Chrome are supported. It is free and open source and is intended for use by everyone that wants to be more secure on the web. EFF also has other plugins/tools to provide more security on the web like PrivacyBadger...which is a bit like Ghostery.

Re: HTTP Strict Transport Security

by Polycarp_of_Smyrna » Wed Apr 24, 2019 6:45 pm

BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.

Re: HTTP Strict Transport Security

by flash2015 » Wed Apr 24, 2019 5:31 pm

BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
Yes, that is the one. The change just got merged into master:

https://github.com/EFForg/https-everywhere/pull/17683

Probably won't be long until we see it (I see the current rules in Firefox are of date April 16th).

Re: HTTP Strict Transport Security

by BananaFang » Wed Apr 24, 2019 3:57 pm

Re: HTTP Strict Transport Security

by chluke » Wed Apr 24, 2019 3:30 pm

I also need (well, "prefer") secure https because I use Lookout for Android's "safe browsing feature". I can type https to get to the main page, but often when I click a game link the browswer is automatically reverting to http (non secure) and the page will not load for me with Lookout's safe browsing feature active.

HTTP Strict Transport Security

by Polycarp_of_Smyrna » Wed Apr 24, 2019 2:46 pm

Has webDiplomacy considered implementing HTTP Strict Transport Security (HSTS)? If I type in webdiplomacy.net into any of my browsers, I am directed to http://webdiplomacy.net . However explicitly writing https://webdiplomacy.net will establish a secure connection with a certificate from Let's Encrypt (good choice, creator is a professor at my university). Implementing HSTS will force all http connections up to https providing for a more secure experience and rid us of the red "Not secure" message.

Top