Strictly HTTPS

Default HTTP communication is not encrypted. That is mostly fine for ‘normal’ web browsing. Encryption was considered only for highly sensitive communication such as managing bank accounts. Common man-in-the-middle attacks were well known, but often they were thought of as in a theoretical sense and not really feared as accessing a ‘wire’ can be physically difficult.

We are less secure nowadays. With the increasing use of wireless networks the communication can be eavesdropped by literally anyone in the range of tens to hundreds of meters. This has been boldly demonstrated by the Firesheep extension which enables users easily collect passwords and cookies and sidejack accounts. This was nothing new, really – it simply showed how easy it was to do.

We understand such issues at Logentries. This is why we always use encrypted HTTPS for our web site and enable our users to use SSL encryption for their data.

There is still a catch however. When a user types on the browser’s location bar, the browser assumes it is HTTP, not HTTPS. To use HTTPS you must specify it explicitly when typing in the web address. Although we redirect the browser to HTTPS immediately, this one quick handshake is not encrypted and is a potential weak point every time the user goes to the site. So an eavesdropper could potentially redirect your request elsewhere if they were so inclined. If the HTTP link is saved as a bookmark or as a link from another web site this handshake may happen every time you go to our site….

Don’t worry, there is a solution: a HTTP strict transport security (HSTS) header field that instructs the browser to always use HTTPS for this site. If you would like to add this to your own web site you only need to add this simple line to the response from your site:

Strict-Transport-Security: max-age=31536000

It is accepted in HTTPS communication only. The max-age parameter specifies how long to remember the rule in seconds (31536000 corresponds to a year). Append ; includeSubDomains at the end to apply the rule for all subdomains as well.

HSTS is supported in current versions of Chrome and Firefox. We hope others will catch up soon.

But wait, there is more! You can also prevent the opening of web pages in iframes. That is a common phishing attack easily triggered via links in emails. To add this… or should I say disallow this … from your web site, simply add this header field to prevent users displaying your pages in iframes:

X-Frame-Options: deny

Setting up for Apache is piece a cake. Just enable the headers mod (requires Apache restart) and set the right headers in the VirtualHost (VHost) section of your site configuration.

Header set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "deny"

On the command line it looks like this:

# a2enmod headers
Enabling module headers.
Run '/etc/init.d/apache2 restart' to activate new configuration!
# /etc/init.d/apache2 restart
Restarting web server: apache2
Apache/2.2.9 mod_ssl/2.2.9 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server (RSA)
Enter pass phrase: ************

OK: Pass Phrase Dialog successful.

A simple test with wget shows new headers.

$ wget -Sq
HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:43 GMT
Server: Apache/2.2.9
Vary: Cookie,Accept-Encoding
Set-Cookie:  csrftoken=98a2e7ededdd003ac14f47d2c81b90cf; Max-Age=31449600; Path=/
Strict-Transport-Security: max-age=31536000
X-Frame-Options: deny
Connection: close
Content-Type: text/html; charset=utf-8

We hope you feel that bit more secure now 🙂

Viliam is a co-founder and in a position that could be called CTO.

Posted in Logentries, Web

Leave a Reply