Geekzone SSL, sessions reset

Forums › Geekzone › Geekzone SSL, sessions reset

freitasm

BDFL - Memuneh
78934 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#214562 17-May-2017 19:52

Hello folks

Some of the more observant may have noticed a change on Geekzone tonight. We have moved the (very) few pages still being served over HTTP to HTTPS - this means the frontpage and forums (other pages have been served on HTTPS for some time now).

I have also reset all your sessions because I have changed cookies to be marked as "Secure" from now on. This means that even if you request a HTTP page on Geekzone cookies (such as session identification) won't be sent from your browser - only when the redirection to HTTPS happens will the cookies be sent. This guarantees your sessions are now secure and shouldn't face the risk of hijacking (unless a MITM attack happens).

Our mobile site has been moved to HTTPS last week.

Some links will still show "http://www.geekzone.co.nz" but will automatically redirect to the correct https: schema (including email notifications and RSS feeds). I will be changing this over slowly this week.

Most pages will show as "Secure" in your browsers. Some pages might show "Mixed content" warnings if someone inserted a third-party image that is not served using the HTTPS schema. This includes those Speedtest results in your signatures. Don't worry, the page itself is still secure, just those elements aren't being served over HTTPS.

You should see another speed improvement for those using browsers supporting SPDY or HTTP/2 protocols.

If you see something "interesting" happening, please let me know.

My technology disclosure

1 | 2

2030 posts

Uber Geek

ID Verified

Lifetime subscriber

#1783877 17-May-2017 20:14

Explains why I had to log in again I'm assuming :)

Tradepub

Free professional, reference and technical white papers (affiliate link).

jamesrt

1576 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1783881 17-May-2017 20:40

allan: Explains why I had to log in again I'm assuming :)

Yes, that will be the "reset all your sessions".

michaelmurfy

meow
13166 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1783882 17-May-2017 20:42

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

However, congrats!

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
78934 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1783885 17-May-2017 20:46

michaelmurfy:

It is a shame that Speedtest doesn't allow for SSL connections else you could do a find and replace on many things to convert them to SSL.

They do. Just that their "Copy link" button offers the HTTP version and most people will just use that...

My technology disclosure

blakamin

4431 posts

Uber Geek
Inactive user

#1783888 17-May-2017 20:55

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D

gehenna

8428 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#1783898 17-May-2017 21:17

blakamin:

Dammit... now I have to login on my phone and tablet again with 2FA... pain in the A :D

Use Authy it's great.

freitasm

BDFL - Memuneh
78934 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1783910 17-May-2017 21:25

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

My technology disclosure

dfnt

1502 posts

Uber Geek

Lifetime subscriber

#1783912 17-May-2017 21:27

Another +1 for Authy

freitasm

BDFL - Memuneh
78934 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1784033 18-May-2017 09:58

This is the difference in % of HTTP/S traffic served in the last six hours (overnight), compared to last month:

As search indexes are updated, RSS feeds change, people bookmark new URLs we should see this increase to around 90%. We will still have some non-HTTPS requests but those will be redirected.

My technology disclosure

DarthKermit

5346 posts

Uber Geek

Trusted

#1784035 18-May-2017 10:09

Must be time for a new GZ badge: "Congrats, you're on SSL exclusively now." or something like that.

freitasm

BDFL - Memuneh
78934 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1784063 18-May-2017 10:54

Some more background information posted on my LinkedIn page and reproduced below:

Last night I switched Geekzone (www.geekzone.co.nz) to full HTTPS support. And slowly traffic over SSL is going up (as per image in the header, comparing last six hours overnight vs last month).

Up until now we only used SSL for login, registration, private messages and profile pages plus assets (images, CSS and scripts).

Now everything is covered.

I started using SSL many years ago and wanted to have the site fully served over HTTPS for quite a while. Started by enforcing HTTPS on some content-sensitive pages and moving assets to HTTPS domains, including redirects to ensure clients used the correct schema. Last week I deployed an update for Geekzone mobile to make sure it worked on HTTPS and yesterday I did the same on the full desktop version of the site.

Also included in this change is the addition of a "Secure" flag to cookies used on these domains. This ensures cookies only move between the client browser and server when there's a secure connection. If anyone requests http://www.geekzone.co.nz instead of https://www.geekzone.co.nz the server will instruct the browser to redirect to the correct location while the browser knows not to disclose the cookies until the secure connection is established. This is essential to avoid session hijacking (unless of course we talk MITM attacks, of course).

Why have all this trouble for a forum? Because we have lots of industry (telcos mainly but other companies around too) people using the site. Account numbers, PIN and passwords are sometimes sent via our private message system (which has been served using the HTTPS schema for quite a while) so it makes sense to extend this to the whole site.

In addition to this, for the last few months I have been using ThisData to collect, analyse and understand user behaviour around the site, in real-time, to quickly determine if an account could've been compromised. Up until now we were using it in "read mode" and tracking notifications. Last week I changed the webhook/API to actually start closing sessions and blocking IP addresses if a user confirms a breach occurred.

ThisData receives millions of transactions reports (login, logout, forum post, message sent, message read, password change, new registration, avatar change, invalid password, etc) from us every month and uses machine learning to observe and assign a "risk" to each transaction. Based on this risk result our forum software can take different actions to protect our users - like the ones I described in the previous paragraph.

I have also added a Geekzone ruleset to the HTTPS Everywhere project. This ensures that browsers using the HTTPS Everywhere add-ons will know to use the HTTPS schema instead of HTTP even if the source explicitly refer to the HTTP version (including references to any Geekzone resource served in non-Geekzone pages). This is important because Cloudflare also uses the same ruleset when doing the automatic HTTPS upgrade for some of their millions of clients around the Internet.

We also use other platforms to prevent spammers and scammers joining the site. One or another can sometimes get past all this protection but our moderator team is pretty quick to act and our community is really good at reporting suspicious behaviour.

There are lots more to be done, for sure. But it feels good when all this falls into place.

My technology disclosure

PolicyGuy

1702 posts

Uber Geek

ID Verified

Lifetime subscriber

#1784599 19-May-2017 09:33

freitasm:

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

Having done ~30 seconds research, I think I agree with you.
Trouble is, I'm already using Google Authenticator for 2FA on this site (and one or two others)

So, how do I switch from Google Authenticator to Authy?
At least for Geekzone

freitasm

BDFL - Memuneh
78934 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1784607 19-May-2017 09:54

Do it while you have only three. I currently have 43 sites with 2FA on Authy. And I still have to load a few more. Imagine if you lose your phone and you had 50 sites to reset?

My technology disclosure

Killerkiwi2005

374 posts

Ultimate Geek

Trusted

#1784613 19-May-2017 10:08

Nice to see, all sites should really now be https, google is talkign about flagging all non ssl sites as insecure starting next year.

Don't forget you can get free ssl certs now
http://letsencrypt.org/

darylblake

1157 posts

Uber Geek

Trusted

#1784615 19-May-2017 10:13

freitasm:

Authy is what everyone should be using. It synchronises between devices so even if you lose your phone you still have access. Unlike Google and Microsoft Authenticator apps...

Have been meaning to set this up... Was using Google Authenticator, which is a nuance when you have to change phone etc.

1 | 2