HTTP Strict Transport Security

[Polycarp_of_Smyrna]

Has webDiplomacy considered implementing HTTP Strict Transport Security (HSTS)? If I type in webdiplomacy.net into any of my browsers, I am directed to http://webdiplomacy.net . However explicitly writing https://webdiplomacy.net will establish a secure connection with a certificate from Let's Encrypt (good choice, creator is a professor at my university). Implementing HSTS will force all http connections up to https providing for a more secure experience and rid us of the red "Not secure" message.

[chluke]

I also need (well, "prefer") secure https because I use Lookout for Android's "safe browsing feature". I can type https to get to the main page, but often when I click a game link the browswer is automatically reverting to http (non secure) and the page will not load for me with Lookout's safe browsing feature active.

[BananaFang]

https://www.eff.org/https-everywhere
?

[flash2015]

https://www.eff.org/https-everywhere
?

Yes, that is the one. The change just got merged into master:

https://github.com/EFForg/https-everywhere/pull/17683

Probably won't be long until we see it (I see the current rules in Firefox are of date April 16th).

[Polycarp_of_Smyrna]

https://www.eff.org/https-everywhere
?

I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.

[flash2015]

https://www.eff.org/https-everywhere
?

I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.

It is a plugin that effectively does URL rewriting in the client to change http to the corresponding https URL where server side techniques to switch to https (like HSTS) are not supported. The http-https mappings are defined in a set of rules which are loaded by the client web browser. Both Firefox and Chrome are supported. It is free and open source and is intended for use by everyone that wants to be more secure on the web. EFF also has other plugins/tools to provide more security on the web like PrivacyBadger...which is a bit like Ghostery.

[Polycarp_of_Smyrna]

https://www.eff.org/https-everywhere
?

I am not familiar with this program but it appears to be a plugin that the client uses. That means that only users who have the plugin installed will be protected. If the site implements HSTS, every user will be protected.

It is a plugin that effectively does URL rewriting in the client to change http to the corresponding https URL where server side techniques to switch to https (like HSTS) are not supported. The http-https mappings are defined in a set of rules which are loaded by the client web browser. Both Firefox and Chrome are supported. It is free and open source and is intended for use by everyone that wants to be more secure on the web. EFF also has other plugins/tools to provide more security on the web like PrivacyBadger...which is a bit like Ghostery.

That is what I expected. However I do not think that it is a good solution. If I learned anything in my computer security course (besides that hashing is not encryption), it is that security should not be left to individual users, it needs to be standardized from the central source. I believe that it would be better for webDiplomacy to implement HSTS than to rely on users to manage their own security.

[Peregrine Falcon]

webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.

[jmo1121109]

^that

[Chaqa]

I always have an issue where links some people post log me out of the site. Is it related?

[Polycarp_of_Smyrna]

webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.

That is not necessarily secure. It is still susceptible to downgrade attacks (forcing https to unsecured http). If HSTS is implemented, compliant (essentially all) browsers will refuse to connect if a https connection is not established.
Note that this has the potential drawback of no one being able to use the site if the certificate lapses until it is renewed.

[flash2015]

I always have an issue where links some people post log me out of the site. Is it related?

Yes. You were probably logged in with webdiplomacy.net and then clicked a link to www.webdiplomacy.net. The login cookies are currently not shared between these domains.

[orathaic]

webDip has a few redirecting issues. It's currently possible to access the site through five different urls and three different logins. I think the plan is to eventually route them all to either https://webdiplomacy.net or https://www.webdiplomacy.net.

That is not necessarily secure. It is still susceptible to downgrade attacks (forcing https to unsecured http). If HSTS is implemented, compliant (essentially all) browsers will refuse to connect if a https connection is not established.
Note that this has the potential drawback of no one being able to use the site if the certificate lapses until it is renewed.

I was looking at let's encrypt recently, if you have a host which supports it, you can have it automatically refresh your certs. And it being free is a good plus.

Not sure about the host support though. My host may have sketchy support.