Suggestion Redirect to HTTPS / Add HSTS

Discussion in 'Site Discussions & Suggestions' started by QuarkTheAwesome, Aug 18, 2016.

  1. QuarkTheAwesome
    OP

    QuarkTheAwesome Working for Hugs

    Member
    788
    1,931
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    Hey all!

    I was playing around with different browsers for an experiment I was doing and was surprised to find that GBATemp will serve all its content over standard HTTP. This is actually the default behaviour for Internet Explorer and Edge (when typing "gbatemp.net" into the URL bar). This opens up users to a wide variety of issues since all GBATemp traffic is unencrypted; including cookies, login information and PMs. Thus, I'm suggesting that HTTPS become a bit more mandatory.

    This could be done in a variety of ways. I feel like HSTS is probably the best way to go since there's already good HTTPS set up for GBATemp. HSTS is a protocol where you add a response header and the browser will use HTTPS, completely disallow invalid certificates and will also try to load any mixed content over HTTPS. This is probably the best solution since it'd only require a response header and no other modification. You can find the OWASP cheat sheet on HSTS here. Other options might be a redirect or flatly disabling HTTP (Google has actually done this; you can't connect to it without TLS).

    Anyway, it's an issue that needs to be fixed so users who don't know about web security aren't at risk.
     
    MarcusD likes this.
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,366
    9,169
    Nov 21, 2005
    The current https rules are a complex consideration implemented in htaccess and more and based upon the site needing to be accessible in China and similar countries. It would have been a lot simpler to force https and more desirable but in the end there are a lot of users that would be troubled by it.
    Won't do much for IE/edge but if you knowingly use a crap browser for your day to day internet...
    https://www.eff.org/https-everywhere

    If you are bothered about logins then there is the facebook stuff.
     
  3. QuarkTheAwesome
    OP

    QuarkTheAwesome Working for Hugs

    Member
    788
    1,931
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    Wasn't aware that places like China don't have HTTPS; although it makes sense when you think about it. I suppose a system of redirects would be a daunting task...

    I've always been a rabid Firefox user, so no IE woes for me. As I mentioned, this was part of an experiment (the results of which prompted me to make this thread) in which two things occurred -
    1. A laptop connected to a WiFi network and loaded GBATemp (in IE, thus HTTP)
    2. A second laptop (who happened to be hosting the network) immediately captured the exchange, noted down the cookies and put them into a browser. When this browser loaded GBAtemp, it was logged in with the first laptop's Temp account, despite it never having been given the passwords or anything like that.
    I know this is a standard cookie-stealing attack but I still thought it would be worth trying to see if it could be made harder via HTTPS. Facebook logins won't help you here.
     
  4. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,366
    9,169
    Nov 21, 2005
    mitm is a powerful tool if you can get it done.

    I thought facebook did a one time auth/token thing. Won't do much for certain types of spoofing but at the same time should miss your

    Also it might not help for some of the more exotic LAN based attacks, or when you own the AP, but the newer flavours of wifi security (WPA2 for instance, and you can play with radius if you really wanted) encrypt on a per user basis rather than a per network basis which stops the standard cookie stealing/coffee shop stuff.
     
  5. QuarkTheAwesome
    OP

    QuarkTheAwesome Working for Hugs

    Member
    788
    1,931
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    True, but that owning the AP is a very easy task. For example, the Pineapple (a linux machine in a box with a funky WiFi card) has a kernel mod that basically imitates any open network. The idea is that the phone asks "are you x open access point" (x being a network the device joined in the past) and the Pineapple will simply respond with "Yes", thus allowing you to own an AP your victim auto-connects to without the user's consent (in most cases).

    I haven't tried the Facebook login system; I'd assume it leaves a cookie so you can stay logged in. That cookie might be on Facebook's side though. I agree that MiTM is rather cool. It's also the best way to teach someone not to use an open WiFi network.
     
  6. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,366
    9,169
    Nov 21, 2005
    Quite a few devices that people wander out and about with in the world check mac addresses of access points, seemingly to avoid AP spoofing, and I think there are options to tie it to GPS as well. Much to my annoyance when I thought I would be clever and use the same SSID and security settings and save myself some hassle at a client's once. Granted that does not help the local and there now stuff (yes I really am the restaurant router) but it does help dodge the "anybody seen my home router" issue which is the classic implementation of AP spoofing.

    Also being a pedant I have to say it is not just open networks but those which use network level rather than per user encryption -- firesheep still works on WEP if you know the WEP code (and being WEP you do).

    I don't know about facebook's setup and you probably could still get a cookie if the server owner sets it up, however the auth process for third party login scripts is worth having a look at if you enjoy this security lark as it solves some interesting problems. http://oauth.net/documentation/getting-started/ is the base technology for it all.
     
    QuarkTheAwesome likes this.