Security - Add a appropriate SSL-Cert
Thursday, March 9, 2017 - 13:52
Hello,
every webpage, that is providing a login, should be protected with a working SSL-Cert! Otherwise everyone in the same wifi/network can steal logins or session cookies! There are several other scenarios that apply here!
The current Cert ist twice invalid:
The certificate is not trusted because it is self-signed. The certificate expired on 13.07.2016 21:31. The current time is 09.03.2017 22:42.
For example: Let's encrypt offers free certificates.
If you installed a valid cert, make sure to set the secure flag at the session-cookie :)
Is this true? I don't get any warning when logging into the site, typically a browser would pop a warning if the cert was self signed and/or expired.
https://withthelove.itch.io/
Yes, it is true! The complete loginprocess is handled via http, and afterwards no secure connection is used, ever! Therfore you see no warning, because no SSL-Cert is ever loaded to secure the connection... Just look at the current url you are on!
Visit https://opengameart.org/ for secure connection...
yuck! I guess I've always assumed SSL was used for the login bits on OGA but it sounds like SSL is only used if you connect to the HTTPS port, is that correct?
https://withthelove.itch.io/
@capbros yes! With http the browser connects to the server on port 80 and with https it connects on the port 443. Connecting on port 443 adds a transport security layer
As I can see, the certificat is now up to date. But with a quick view I found two todo's:
1. With https the previews of all art's are broken:
how it is now:
https://opengameart.org/sites/default/files/styles/watermarked/public/st...
How it should be:
https://opengameart.org/sites/default/files/styles/thumbnail/public/Prev...
2.
The login is not with forced https.
Currently the login credentials are sent with http and the user never sees https, if he starts with http. In addition to this if he manually goes to https and is logged in at http, he will not be logged in at https.
Yikes! #2 is definitely a pretty big security no-no. Means all usernames and passwords are sent clear text without any encryption and could be easily read by anyone sniffing traffic along the route from user to OGA server. Feeling pretty glad I use a different username and password on this site than anywhere else.
I'll add that the concern goes beyond general internet security concerns. OGA has made a few enemies over the years. I'd hate to see a disgruntled user wreak havoc on the site by exploiting such an obvious security flaw.
Isn't there some way HTTP users can be directed through the HTTPS server for the login process? That's a pretty common arrangment, although I notice all HTTPS/SSL is actually becoming even more common these days.
https://withthelove.itch.io/
Yes, there is an easy solution.
Just change the login form.
From:
<form action="/node?destination=node" method="post" id="user-login-form" accept-charset="UTF-8" class="compact-form">
To:
<form action="https://opengameart.org/node?destination=node" method="post" id="user-login-form" accept-charset="UTF-8" class="compact-form">
But before changing this line, all other bugs should be fixed^^
Bart is aware of the issue and I believe he's still working on it. Botanic has also had a quick go at it. There are apparently some odd Drupal conflicts involved.
Thanks for making the previews work with SSL! This a great step forward.
Hey I notice that I am now automatically re-directed the SSL version of the site now even if I try to go directly to http://www.opengameart.org
And Google Chrome is now accepting the site's cert!
So it looks like:
Cert has been fixed
ALL traffic now run through the SSL version of the site
Meaning everything's sercured, encrypted, etc.
YAY! Bravo to whomever had a hand in making this happen! :)
https://withthelove.itch.io/
Firefox, the same.
There is no mixed content now. Good job.
scrot.png 33.9 Kb [0 download(s)]
Nice work, our lovely platform is now more secure! :)
Keep on being awesome ^^