Suggestion Redirect to HTTPS / Add HSTS

QuarkTheAwesome

🦊
OP
Member
Joined
Apr 19, 2015
Messages
1,023
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,914
Country
Australia
Hey all!

I was playing around with different browsers for an experiment I was doing and was surprised to find that GBATemp will serve all its content over standard HTTP. This is actually the default behaviour for Internet Explorer and Edge (when typing "gbatemp.net" into the URL bar). This opens up users to a wide variety of issues since all GBATemp traffic is unencrypted; including cookies, login information and PMs. Thus, I'm suggesting that HTTPS become a bit more mandatory.

This could be done in a variety of ways. I feel like HSTS is probably the best way to go since there's already good HTTPS set up for GBATemp. HSTS is a protocol where you add a response header and the browser will use HTTPS, completely disallow invalid certificates and will also try to load any mixed content over HTTPS. This is probably the best solution since it'd only require a response header and no other modification. You can find the OWASP cheat sheet on HSTS here. Other options might be a redirect or flatly disabling HTTP (Google has actually done this; you can't connect to it without TLS).

Anyway, it's an issue that needs to be fixed so users who don't know about web security aren't at risk.
 
  • Like
Reactions: Sono

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,375
Country
United Kingdom
The current https rules are a complex consideration implemented in htaccess and more and based upon the site needing to be accessible in China and similar countries. It would have been a lot simpler to force https and more desirable but in the end there are a lot of users that would be troubled by it.
Won't do much for IE/edge but if you knowingly use a crap browser for your day to day internet...
https://www.eff.org/https-everywhere

If you are bothered about logins then there is the facebook stuff.
 

QuarkTheAwesome

🦊
OP
Member
Joined
Apr 19, 2015
Messages
1,023
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,914
Country
Australia
The current https rules are a complex consideration implemented in htaccess and more and based upon the site needing to be accessible in China and similar countries. It would have been a lot simpler to force https and more desirable but in the end there are a lot of users that would be troubled by it.
Won't do much for IE/edge but if you knowingly use a crap browser for your day to day internet...
https://www.eff.org/https-everywhere

If you are bothered about logins then there is the facebook stuff.

Wasn't aware that places like China don't have HTTPS; although it makes sense when you think about it. I suppose a system of redirects would be a daunting task...

I've always been a rabid Firefox user, so no IE woes for me. As I mentioned, this was part of an experiment (the results of which prompted me to make this thread) in which two things occurred -
  1. A laptop connected to a WiFi network and loaded GBATemp (in IE, thus HTTP)
  2. A second laptop (who happened to be hosting the network) immediately captured the exchange, noted down the cookies and put them into a browser. When this browser loaded GBAtemp, it was logged in with the first laptop's Temp account, despite it never having been given the passwords or anything like that.
I know this is a standard cookie-stealing attack but I still thought it would be worth trying to see if it could be made harder via HTTPS. Facebook logins won't help you here.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,375
Country
United Kingdom
mitm is a powerful tool if you can get it done.

I thought facebook did a one time auth/token thing. Won't do much for certain types of spoofing but at the same time should miss your

Also it might not help for some of the more exotic LAN based attacks, or when you own the AP, but the newer flavours of wifi security (WPA2 for instance, and you can play with radius if you really wanted) encrypt on a per user basis rather than a per network basis which stops the standard cookie stealing/coffee shop stuff.
 

QuarkTheAwesome

🦊
OP
Member
Joined
Apr 19, 2015
Messages
1,023
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,914
Country
Australia
Also it might not help for some of the more exotic LAN based attacks, or when you own the AP, but the newer flavours of wifi security (WPA2 for instance, and you can play with radius if you really wanted) encrypt on a per user basis rather than a per network basis which stops the standard cookie stealing/coffee shop stuff.

True, but that owning the AP is a very easy task. For example, the Pineapple (a linux machine in a box with a funky WiFi card) has a kernel mod that basically imitates any open network. The idea is that the phone asks "are you x open access point" (x being a network the device joined in the past) and the Pineapple will simply respond with "Yes", thus allowing you to own an AP your victim auto-connects to without the user's consent (in most cases).

I haven't tried the Facebook login system; I'd assume it leaves a cookie so you can stay logged in. That cookie might be on Facebook's side though. I agree that MiTM is rather cool. It's also the best way to teach someone not to use an open WiFi network.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,375
Country
United Kingdom
Quite a few devices that people wander out and about with in the world check mac addresses of access points, seemingly to avoid AP spoofing, and I think there are options to tie it to GPS as well. Much to my annoyance when I thought I would be clever and use the same SSID and security settings and save myself some hassle at a client's once. Granted that does not help the local and there now stuff (yes I really am the restaurant router) but it does help dodge the "anybody seen my home router" issue which is the classic implementation of AP spoofing.

Also being a pedant I have to say it is not just open networks but those which use network level rather than per user encryption -- firesheep still works on WEP if you know the WEP code (and being WEP you do).

I don't know about facebook's setup and you probably could still get a cookie if the server owner sets it up, however the auth process for third party login scripts is worth having a look at if you enjoy this security lark as it solves some interesting problems. http://oauth.net/documentation/getting-started/ is the base technology for it all.
 
  • Like
Reactions: QuarkTheAwesome

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • BigOnYa @ BigOnYa:
    Biomutant looks cool tho, may have to try that
  • Quincy @ Quincy:
    Usually when such a big title leaks the Temp will be the first to report about it (going off of historical reports here, Pokemon SV being the latest one I can recall seeing pop up here)
  • K3Nv2 @ K3Nv2:
    I still like how a freaking mp3 file hacks webos all that security defeated by text yet again
  • BigOnYa @ BigOnYa:
    They have simulators for everything nowdays, cray cray. How about a sim that shows you playing the Switch.
  • K3Nv2 @ K3Nv2:
    That's called yuzu
    +1
  • BigOnYa @ BigOnYa:
    I want a 120hz 4k tv but crazy how more expensive the 120hz over the 60hz are. Or even more crazy is the price of 8k's.
  • K3Nv2 @ K3Nv2:
    No real point since movies are 30fps
  • BigOnYa @ BigOnYa:
    Not a big movie buff, more of a gamer tbh. And Series X is 120hz 8k ready, but yea only 120hz 4k games out right now, but thinking of in the future.
  • K3Nv2 @ K3Nv2:
    Mostly why you never see TV manufacturers going post 60hz
  • BigOnYa @ BigOnYa:
    I only watch tv when i goto bed, it puts me to sleep, and I have a nas drive filled w my fav shows so i can watch them in order, commercial free. I usually watch Married w Children, or South Park
  • K3Nv2 @ K3Nv2:
    Stremio ruined my need for nas
  • BigOnYa @ BigOnYa:
    I stream from Nas to firestick, one on every tv, and use Kodi. I'm happy w it, plays everything. (I pirate/torrent shows/movies on pc, and put on nas)
  • K3Nv2 @ K3Nv2:
    Kodi repost are still pretty popular
  • BigOnYa @ BigOnYa:
    What the hell is Kodi reposts? what do you mean, or "Wut?" -xdqwerty
  • K3Nv2 @ K3Nv2:
    Google them basically web crawlers to movie sites
  • BigOnYa @ BigOnYa:
    oh you mean the 3rd party apps on Kodi, yea i know what you mean, yea there are still a few cool ones, in fact watched the new planet of the apes movie other night w wifey thru one, was good pic surprisingly, not a cam
  • BigOnYa @ BigOnYa:
    Damn, only $2.06 and free shipping. Gotta cost more for them to ship than $2.06
  • BigOnYa @ BigOnYa:
    I got my Dad a firestick for Xmas and showed him those 3rd party sites on Kodi, he loves it, all he watches anymore. He said he has got 3 letters from AT&T already about pirating, but he says f them, let them shut my internet off (He wants out of his AT&T contract anyways)
  • K3Nv2 @ K3Nv2:
    That's where stremio comes to play never got a letter about it
  • BigOnYa @ BigOnYa:
    I just use a VPN, even give him my login and password so can use it also, and he refuses, he's funny.
  • BigOnYa @ BigOnYa:
    I had to find and get him an old style flip phone even without text, cause thats what he wanted. No text, no internet, only phone calls. Old, old school.
    K3Nv2 @ K3Nv2: @BigOnYa...