HTTP Strict Transport Security

Developers and contributors can find a link to our github page and engage in development project planning here.
Post Reply
Message
Author
Polycarp_of_Smyrna
Posts: 6
Joined: Tue Apr 23, 2019 8:05 pm
Karma: 5

HTTP Strict Transport Security

#1 Post by Polycarp_of_Smyrna » Wed Apr 24, 2019 2:46 pm

Has webDiplomacy considered implementing HTTP Strict Transport Security (HSTS)? If I type in webdiplomacy.net into any of my browsers, I am directed to http://webdiplomacy.net . However explicitly writing https://webdiplomacy.net will establish a secure connection with a certificate from Let's Encrypt (good choice, creator is a professor at my university). Implementing HSTS will force all http connections up to https providing for a more secure experience and rid us of the red "Not secure" message.
1

chluke
Gold Donator
Gold Donator
Posts: 88
Joined: Sun Dec 31, 2017 12:10 am
Karma: 21

Re: HTTP Strict Transport Security

#2 Post by chluke » Wed Apr 24, 2019 3:30 pm

I also need (well, "prefer") secure https because I use Lookout for Android's "safe browsing feature". I can type https to get to the main page, but often when I click a game link the browswer is automatically reverting to http (non secure) and the page will not load for me with Lookout's safe browsing feature active.

BananaFang
Posts: 16
Joined: Fri Sep 29, 2017 3:26 pm
Karma: 5

Re: HTTP Strict Transport Security

#3 Post by BananaFang » Wed Apr 24, 2019 3:57 pm


flash2015
Gold Donator
Gold Donator
Posts: 1712
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 345

Re: HTTP Strict Transport Security

#4 Post by flash2015 » Wed Apr 24, 2019 5:31 pm

BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
Yes, that is the one. The change just got merged into master:

https://github.com/EFForg/https-everywhere/pull/17683

Probably won't be long until we see it (I see the current rules in Firefox are of date April 16th).

Polycarp_of_Smyrna
Posts: 6
Joined: Tue Apr 23, 2019 8:05 pm
Karma: 5

Re: HTTP Strict Transport Security

#5 Post by Polycarp_of_Smyrna » Wed Apr 24, 2019 6:45 pm

BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.

flash2015
Gold Donator
Gold Donator
Posts: 1712
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 345

Re: HTTP Strict Transport Security

#6 Post by flash2015 » Wed Apr 24, 2019 8:46 pm

Polycarp_of_Smyrna wrote:
Wed Apr 24, 2019 6:45 pm
BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.
It is a plugin that effectively does URL rewriting in the client to change http to the corresponding https URL where server side techniques to switch to https (like HSTS) are not supported. The http-https mappings are defined in a set of rules which are loaded by the client web browser. Both Firefox and Chrome are supported. It is free and open source and is intended for use by everyone that wants to be more secure on the web. EFF also has other plugins/tools to provide more security on the web like PrivacyBadger...which is a bit like Ghostery.

Polycarp_of_Smyrna
Posts: 6
Joined: Tue Apr 23, 2019 8:05 pm
Karma: 5

Re: HTTP Strict Transport Security

#7 Post by Polycarp_of_Smyrna » Thu Apr 25, 2019 2:42 am

flash2015 wrote:
Wed Apr 24, 2019 8:46 pm
Polycarp_of_Smyrna wrote:
Wed Apr 24, 2019 6:45 pm
BananaFang wrote:
Wed Apr 24, 2019 3:57 pm
https://www.eff.org/https-everywhere
?
I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.
It is a plugin that effectively does URL rewriting in the client to change http to the corresponding https URL where server side techniques to switch to https (like HSTS) are not supported. The http-https mappings are defined in a set of rules which are loaded by the client web browser. Both Firefox and Chrome are supported. It is free and open source and is intended for use by everyone that wants to be more secure on the web. EFF also has other plugins/tools to provide more security on the web like PrivacyBadger...which is a bit like Ghostery.
That is what I expected. However I do not think that it is a good solution. If I learned anything in my computer security course (besides that hashing is not encryption), it is that security should not be left to individual users, it needs to be standardized from the central source. I believe that it would be better for webDiplomacy to implement HSTS than to rely on users to manage their own security.

Peregrine Falcon
Site Contributor
Site Contributor
Posts: 119
Joined: Tue Mar 14, 2017 8:44 pm
Karma: 117
Contact:

Re: HTTP Strict Transport Security

#8 Post by Peregrine Falcon » Thu Apr 25, 2019 4:05 am

webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.
3

jmo1121109
Developer
Developer
Posts: 844
Joined: Fri Sep 29, 2017 4:20 pm
Karma: 1912
Contact:

Re: HTTP Strict Transport Security

#9 Post by jmo1121109 » Thu Apr 25, 2019 4:18 am

^that

Chaqa
Bronze Donator
Bronze Donator
Posts: 428
Joined: Fri Sep 29, 2017 7:33 pm
Karma: 132

Re: HTTP Strict Transport Security

#10 Post by Chaqa » Thu Apr 25, 2019 11:34 am

I always have an issue where links some people post log me out of the site. Is it related?

Polycarp_of_Smyrna
Posts: 6
Joined: Tue Apr 23, 2019 8:05 pm
Karma: 5

Re: HTTP Strict Transport Security

#11 Post by Polycarp_of_Smyrna » Thu Apr 25, 2019 12:48 pm

Peregrine Falcon wrote:
Thu Apr 25, 2019 4:05 am
webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.
That is not necessarily secure. It is still susceptible to downgrade attacks (forcing https to unsecured http). If HSTS is implemented, compliant (essentially all) browsers will refuse to connect if a https connection is not established.
Note that this has the potential drawback of no one being able to use the site if the certificate lapses until it is renewed.

flash2015
Gold Donator
Gold Donator
Posts: 1712
Joined: Fri Sep 29, 2017 7:55 pm
Location: Planet Earth
Karma: 345

Re: HTTP Strict Transport Security

#12 Post by flash2015 » Thu Apr 25, 2019 1:32 pm

Chaqa wrote:
Thu Apr 25, 2019 11:34 am
I always have an issue where links some people post log me out of the site. Is it related?
Yes. You were probably logged in with webdiplomacy.net and then clicked a link to www.webdiplomacy.net. The login cookies are currently not shared between these domains.
2

orathaic
Bronze Donator
Bronze Donator
Posts: 231
Joined: Fri Sep 29, 2017 3:20 pm
Karma: 79

Re: HTTP Strict Transport Security

#13 Post by orathaic » Wed May 01, 2019 6:50 pm

Polycarp_of_Smyrna wrote:
Thu Apr 25, 2019 12:48 pm
Peregrine Falcon wrote:
Thu Apr 25, 2019 4:05 am
webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.
That is not necessarily secure. It is still susceptible to downgrade attacks (forcing https to unsecured http). If HSTS is implemented, compliant (essentially all) browsers will refuse to connect if a https connection is not established.
Note that this has the potential drawback of no one being able to use the site if the certificate lapses until it is renewed.
I was looking at let's encrypt recently, if you have a host which supports it, you can have it automatically refresh your certs. And it being free is a good plus.

Not sure about the host support though. My host may have sketchy support.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest