Friday, June 6. 2014
Enabling encryption by default and using HTTPS only
I recently switched my personal web page and my blog to deliver content exclusively encrypted via HTTPS. I want to take this opportunity to give some facts about enabling TLS encryption by default and problems you may face.First of all the non-problems: Enabling HTTPS by default is almost never a significant performance problem. If people tell me that they can not possibly enable HTTPS due to performance reasons the first thing I ask is if they believe this or if they have real benchmark data showing this. If you don't believe me on that, I can quote Adam Langley from Google here: "In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead."
Enabling HTTPS may cause a number of compatibility issues you may not instantly think about. First of all, we know that IPs in the IPv4 space are limited and expensive these days, so many people probably can't afford having a distinct IP for their web page. The solution to that is a TLS extension called SNI (Server Name Indication) which allows to have different certificates for different domain names on the same IP. It works in all major browsers and has been working for quite some time. The only major browser you'll face these days that doesn't support SNI is the Android 2.x browser.
There are some subtle issues with SNI. One is that browsers have fallback modes if they cannot connect via TLS and that may lead to a connection downgrade to SSLv3. And that ancient protocol doesn't support extensions and thus no SNI. So you may have irregular certificate errors if you are on a bad connection. A solution to that on the server side is to just disable SSLv3. It will make SNI much more reliable.
I don't really have a clear picture how many browsers will fail with SNI. There are probably a number of embedded devices out there like smart TVs with browsers or things alike that have problems. If you have any experiences feel free to post them in the comments.
The first issue I only noticed after I switched to HTTPS: I had an application called RSS Graffiti set up to automatically post all articles I write to a facebook fan page. After changing to HTTPS only it silently stopped working. Re-adding my feed didn't work. I now found a similar service called dlvr.it that I now use to post my RSS feed to facebook. I can only assume that this is a glimpse of a much bigger problem: There are probably tons of applications and online services out there not prepared for an encrypted Internet. If we want more people to deploy encryption by default we need to find these issues, document them and hopefully put enough pressure on their developers to fix them.
Another yet unfixed issue is the Yandex Bot. Yandex is a search engine and although you may never have heard of it it's probably one of the few companies in this area that can claim to be a serious competitor to Google. The reason you may not know it is that it's mostly operating in Russian language. Depending on who your page visitors are this may matter more or less.
The Yandex Bot speaks SSL but according to the Qualys SSL test it only supports the ancient SSLv3. So you have a choice between three possibilities: Don't enable HTTPS by default, enable HTTPS with a shitty configuration supporting ancient technology that will cause trouble for SNI or enable HTTPS with a sane configuration and get no traffic from the leading Russian search engine. None of them sounds very good to me.
Another issue is third party content. For security reasons today's browsers block all active HTTP content (CSS, JavaScript etc.) on HTTPS webpages. This isn't much of a problem for me, but it's a problem for webpages that rely on advertising because from what I hear most advertisement providers don't support HTTPS yet (Google being a laudable exception here). This is the main reason you won't see many news webpages enforcing HTTPS. However, I still have passive third party HTTP content on my blog. That's why you'll probably see a yellow warning sign in front of the URL in some browsers.
Comments
Display comments as
(Linear | Threaded)
Your blog is public.
Any information on it can be accessed by anyone. Public copies are available from Google Cache and elsewhere. Nobody needs to type in their email address in a comment if they feel that's secret information. And they would not change opinion because of SSL. I doubt they trust your MySQL on that shared Hetzner box more than your Class 2 Cert from StartCom. So there is no content to protect (secrecy aspect of security). Integrity is not an issue as there is no realistic attack scenario that would compromise communication to your site to inject e.g. a fake blog entry. But Availability is an issue as you want to reach as many users as possible. That's probably why you blog in the first place. Your audience includes people on Android and Russian native speakers that use Yandex to find your content. Or people that use simple RSS feed readers that choke on your SSL setup. Or any SSL setup. So forcing SSL for non-authenticate users (so not your Serendipity /admin) is counter-productive. It's a "but, but ... I need to do something" reaction of the helpless geek in the Post-Snowdon era.
The only - slight advantage - I can see is that most spam bots won't bother with your TLS setup. So you get less spam. But I doubt that's worth it.
BTW: You're not protecting users from injected scripts through making your content any "securely" available.
1) That would only be worth it if there wasn't any other sites your users access in plain HTTP and
2) SSL certs would be worth anything still.
You also include plain http content. E.g. http://api.flattr.com/js/0.6/load.js so that's easy to man-in-the middle and get a script loaded into your "secure" DOM.
Any information on it can be accessed by anyone. Public copies are available from Google Cache and elsewhere. Nobody needs to type in their email address in a comment if they feel that's secret information. And they would not change opinion because of SSL. I doubt they trust your MySQL on that shared Hetzner box more than your Class 2 Cert from StartCom. So there is no content to protect (secrecy aspect of security). Integrity is not an issue as there is no realistic attack scenario that would compromise communication to your site to inject e.g. a fake blog entry. But Availability is an issue as you want to reach as many users as possible. That's probably why you blog in the first place. Your audience includes people on Android and Russian native speakers that use Yandex to find your content. Or people that use simple RSS feed readers that choke on your SSL setup. Or any SSL setup. So forcing SSL for non-authenticate users (so not your Serendipity /admin) is counter-productive. It's a "but, but ... I need to do something" reaction of the helpless geek in the Post-Snowdon era.
The only - slight advantage - I can see is that most spam bots won't bother with your TLS setup. So you get less spam. But I doubt that's worth it.
BTW: You're not protecting users from injected scripts through making your content any "securely" available.
1) That would only be worth it if there wasn't any other sites your users access in plain HTTP and
2) SSL certs would be worth anything still.
You also include plain http content. E.g. http://api.flattr.com/js/0.6/load.js so that's easy to man-in-the middle and get a script loaded into your "secure" DOM.
Actually there are some real gains from using HTTPS even on public read-only websites. One is protecting all kinds of metadata. An attacker will still see that someone is reading my blog, but he won't see what subpages someone is accessing. Also HTTPS protects from modification of the webpage content by an active adversary (which could be everything from changing texts to embedding malware).
But I admit these are most likely minor issues. The reason I'm doing this is that I think we need early adopters for encryption by default. I am deeply convinced we need to get more and better crypto out of the door. Unlike large webpage providers I can afford to loose a few readers and I still can help out identifying potential problems. I started 10 years ago enabling TLS-only-access to our mail servers, recently most large German mail providers followed.
Btw., I'm not on a shared hosting Hetzner service, I'm running my own web hosting (which runs on Hetzner servers, but these run an operating system I fully control except for physical access).
Regarding flattr you have a point, however as most browser block mixed content the flattr button probably just won't work for most visitors right now. I'll try to fix that (probably the s9y plugin should be changed to use protocol relative references here).
But I admit these are most likely minor issues. The reason I'm doing this is that I think we need early adopters for encryption by default. I am deeply convinced we need to get more and better crypto out of the door. Unlike large webpage providers I can afford to loose a few readers and I still can help out identifying potential problems. I started 10 years ago enabling TLS-only-access to our mail servers, recently most large German mail providers followed.
Btw., I'm not on a shared hosting Hetzner service, I'm running my own web hosting (which runs on Hetzner servers, but these run an operating system I fully control except for physical access).
Regarding flattr you have a point, however as most browser block mixed content the flattr button probably just won't work for most visitors right now. I'll try to fix that (probably the s9y plugin should be changed to use protocol relative references here).
Interesting!
However to me it looks like the YandexBot does speak SNI and TLS 1.0:
https://www.ssllabs.com/ssltest/viewClient.html?name=YandexBot&version=May%202014
However to me it looks like the YandexBot does speak SNI and TLS 1.0:
https://www.ssllabs.com/ssltest/viewClient.html?name=YandexBot&version=May%202014
Then it seems things have improved. Good to know.
When I wrote this blog entry the Qualys test showed me no connection to the Yandex bot.
When I wrote this blog entry the Qualys test showed me no connection to the Yandex bot.
Seit einem Jahr läuft dieses Blog (und sämtliche anderen Seiten auf crashmail.de) nun mittlerweile als https-only. Ich nutze dafür StartCom Class1 Zertifikate, die eine Gültigkeit von einem Jahr haben und dann erneuert werden müssen. Über das Für und Wide
Tracked: Jun 08, 08:02