- Joined
- Apr 19, 2015
- Messages
- 1,023
- Trophies
- 1
- Location
- Stuck in the PowerPC
- Website
- heyquark.com
- XP
- 3,907
- Country
Hey all!
I was playing around with different browsers for an experiment I was doing and was surprised to find that GBATemp will serve all its content over standard HTTP. This is actually the default behaviour for Internet Explorer and Edge (when typing "gbatemp.net" into the URL bar). This opens up users to a wide variety of issues since all GBATemp traffic is unencrypted; including cookies, login information and PMs. Thus, I'm suggesting that HTTPS become a bit more mandatory.
This could be done in a variety of ways. I feel like HSTS is probably the best way to go since there's already good HTTPS set up for GBATemp. HSTS is a protocol where you add a response header and the browser will use HTTPS, completely disallow invalid certificates and will also try to load any mixed content over HTTPS. This is probably the best solution since it'd only require a response header and no other modification. You can find the OWASP cheat sheet on HSTS here. Other options might be a redirect or flatly disabling HTTP (Google has actually done this; you can't connect to it without TLS).
Anyway, it's an issue that needs to be fixed so users who don't know about web security aren't at risk.
I was playing around with different browsers for an experiment I was doing and was surprised to find that GBATemp will serve all its content over standard HTTP. This is actually the default behaviour for Internet Explorer and Edge (when typing "gbatemp.net" into the URL bar). This opens up users to a wide variety of issues since all GBATemp traffic is unencrypted; including cookies, login information and PMs. Thus, I'm suggesting that HTTPS become a bit more mandatory.
This could be done in a variety of ways. I feel like HSTS is probably the best way to go since there's already good HTTPS set up for GBATemp. HSTS is a protocol where you add a response header and the browser will use HTTPS, completely disallow invalid certificates and will also try to load any mixed content over HTTPS. This is probably the best solution since it'd only require a response header and no other modification. You can find the OWASP cheat sheet on HSTS here. Other options might be a redirect or flatly disabling HTTP (Google has actually done this; you can't connect to it without TLS).
Anyway, it's an issue that needs to be fixed so users who don't know about web security aren't at risk.