Suggestion Redirect to HTTPS / Add HSTS

QuarkTheAwesome

🦊
OP
Member
Joined
Apr 19, 2015
Messages
993
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,471
Country
Australia
Hey all!

I was playing around with different browsers for an experiment I was doing and was surprised to find that GBATemp will serve all its content over standard HTTP. This is actually the default behaviour for Internet Explorer and Edge (when typing "gbatemp.net" into the URL bar). This opens up users to a wide variety of issues since all GBATemp traffic is unencrypted; including cookies, login information and PMs. Thus, I'm suggesting that HTTPS become a bit more mandatory.

This could be done in a variety of ways. I feel like HSTS is probably the best way to go since there's already good HTTPS set up for GBATemp. HSTS is a protocol where you add a response header and the browser will use HTTPS, completely disallow invalid certificates and will also try to load any mixed content over HTTPS. This is probably the best solution since it'd only require a response header and no other modification. You can find the OWASP cheat sheet on HSTS here. Other options might be a redirect or flatly disabling HTTP (Google has actually done this; you can't connect to it without TLS).

Anyway, it's an issue that needs to be fixed so users who don't know about web security aren't at risk.
 
  • Like
Reactions: Sono

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,960
Trophies
3
Website
trastindustries.com
XP
26,553
Country
United Kingdom
The current https rules are a complex consideration implemented in htaccess and more and based upon the site needing to be accessible in China and similar countries. It would have been a lot simpler to force https and more desirable but in the end there are a lot of users that would be troubled by it.
Won't do much for IE/edge but if you knowingly use a crap browser for your day to day internet...
https://www.eff.org/https-everywhere

If you are bothered about logins then there is the facebook stuff.
 

QuarkTheAwesome

🦊
OP
Member
Joined
Apr 19, 2015
Messages
993
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,471
Country
Australia
The current https rules are a complex consideration implemented in htaccess and more and based upon the site needing to be accessible in China and similar countries. It would have been a lot simpler to force https and more desirable but in the end there are a lot of users that would be troubled by it.
Won't do much for IE/edge but if you knowingly use a crap browser for your day to day internet...
https://www.eff.org/https-everywhere

If you are bothered about logins then there is the facebook stuff.

Wasn't aware that places like China don't have HTTPS; although it makes sense when you think about it. I suppose a system of redirects would be a daunting task...

I've always been a rabid Firefox user, so no IE woes for me. As I mentioned, this was part of an experiment (the results of which prompted me to make this thread) in which two things occurred -
  1. A laptop connected to a WiFi network and loaded GBATemp (in IE, thus HTTP)
  2. A second laptop (who happened to be hosting the network) immediately captured the exchange, noted down the cookies and put them into a browser. When this browser loaded GBAtemp, it was logged in with the first laptop's Temp account, despite it never having been given the passwords or anything like that.
I know this is a standard cookie-stealing attack but I still thought it would be worth trying to see if it could be made harder via HTTPS. Facebook logins won't help you here.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,960
Trophies
3
Website
trastindustries.com
XP
26,553
Country
United Kingdom
mitm is a powerful tool if you can get it done.

I thought facebook did a one time auth/token thing. Won't do much for certain types of spoofing but at the same time should miss your

Also it might not help for some of the more exotic LAN based attacks, or when you own the AP, but the newer flavours of wifi security (WPA2 for instance, and you can play with radius if you really wanted) encrypt on a per user basis rather than a per network basis which stops the standard cookie stealing/coffee shop stuff.
 

QuarkTheAwesome

🦊
OP
Member
Joined
Apr 19, 2015
Messages
993
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,471
Country
Australia
Also it might not help for some of the more exotic LAN based attacks, or when you own the AP, but the newer flavours of wifi security (WPA2 for instance, and you can play with radius if you really wanted) encrypt on a per user basis rather than a per network basis which stops the standard cookie stealing/coffee shop stuff.

True, but that owning the AP is a very easy task. For example, the Pineapple (a linux machine in a box with a funky WiFi card) has a kernel mod that basically imitates any open network. The idea is that the phone asks "are you x open access point" (x being a network the device joined in the past) and the Pineapple will simply respond with "Yes", thus allowing you to own an AP your victim auto-connects to without the user's consent (in most cases).

I haven't tried the Facebook login system; I'd assume it leaves a cookie so you can stay logged in. That cookie might be on Facebook's side though. I agree that MiTM is rather cool. It's also the best way to teach someone not to use an open WiFi network.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,960
Trophies
3
Website
trastindustries.com
XP
26,553
Country
United Kingdom
Quite a few devices that people wander out and about with in the world check mac addresses of access points, seemingly to avoid AP spoofing, and I think there are options to tie it to GPS as well. Much to my annoyance when I thought I would be clever and use the same SSID and security settings and save myself some hassle at a client's once. Granted that does not help the local and there now stuff (yes I really am the restaurant router) but it does help dodge the "anybody seen my home router" issue which is the classic implementation of AP spoofing.

Also being a pedant I have to say it is not just open networks but those which use network level rather than per user encryption -- firesheep still works on WEP if you know the WEP code (and being WEP you do).

I don't know about facebook's setup and you probably could still get a cookie if the server owner sets it up, however the auth process for third party login scripts is worth having a look at if you enjoy this security lark as it solves some interesting problems. http://oauth.net/documentation/getting-started/ is the base technology for it all.
 
  • Like
Reactions: QuarkTheAwesome

You may also like...

General chit-chat
Help Users
  • M4x1mumReZ @ M4x1mumReZ:
    I still own one because its a great way to play PS1 games on
    +1
  • sombrerosonic @ sombrerosonic:
    Eh, I use mine for sega genesis games
    +1
  • AncientBoi @ AncientBoi:
    didnt know that
    +1
  • FAST6191 @ FAST6191:
    You play as much PSP as you do and had not met it as a PS1 emulation device?
  • sombrerosonic @ sombrerosonic:
    SNES is shit on it, can't play Super Mario Kart
  • M4x1mumReZ @ M4x1mumReZ:
    Yeah, the SNES emulators are very kak when it comes to old consoles
  • AncientBoi @ AncientBoi:
    guess I need an emulator for ps1 games
  • M4x1mumReZ @ M4x1mumReZ:
    They're barely even up to date after years and years
    +1
  • sombrerosonic @ sombrerosonic:
    Gonna poke around ZSNES when i learn how code and try to port the bitch
    +1
  • M4x1mumReZ @ M4x1mumReZ:
    Good luck with that
    +1
  • sombrerosonic @ sombrerosonic:
    i know, but still
    +1
  • sombrerosonic @ sombrerosonic:
    GOOD Snes emulation on the PSP would be poggers
    +1
  • M4x1mumReZ @ M4x1mumReZ:
    And PlayStation emulation
  • M4x1mumReZ @ M4x1mumReZ:
    I also want DOSBox to be more stable on the Wii
  • M4x1mumReZ @ M4x1mumReZ:
    It's very laggy even when running DOOM
  • Psionic Roshambo @ Psionic Roshambo:
    I don't think the launch PSP can do any SNES games with helper chips justice
  • Psionic Roshambo @ Psionic Roshambo:
    Mario Kart I believe had a very basic chip to help speed up some calculations
  • sombrerosonic @ sombrerosonic:
    DPS chip i believe
  • M4x1mumReZ @ M4x1mumReZ:
    The special chips are important
  • sombrerosonic @ sombrerosonic:
    Gonna use ether Snes9x or ZSNES
  • AncientBoi @ AncientBoi:
    corn chips?
  • sombrerosonic @ sombrerosonic:
    Prob Snes9x 2005 and use ZSNES to learn of ways to optimize

    it for PSP
  • M4x1mumReZ @ M4x1mumReZ:
    @AncientBoi, Nah, the DSP chips
  • M4x1mumReZ @ M4x1mumReZ:
    And ones like the Super FX
  • Psionic Roshambo @ Psionic Roshambo:
    SuperFX chips I would think just too much for the PSP to emulate
    Psionic Roshambo @ Psionic Roshambo: SuperFX chips I would think just too much for the PSP to emulate