Default HTTP communication is not encrypted. That is mostly fine for ‘normal’ web browsing. Encryption was considered only for highly sensitive communication such as managing bank accounts. Common man-in-the-middle attacks were well known, but often they were thought of as in a theoretical sense and not really feared as accessing a ‘wire’ can be physically difficult.
We are less secure nowadays. With the increasing use of wireless networks the communication can be eavesdropped by literally anyone in the range of tens to hundreds of meters. This has been boldly demonstrated by the Firesheep extension which enables users easily collect passwords and cookies and sidejack accounts. This was nothing new, really – it simply showed how easy it was to do.
We understand such issues at Logentries. This is why we always use encrypted HTTPS for our web site and enable our users to use SSL encryption for their data.
There is still a catch however. When a user types logentries.com on the browser’s location bar, the browser assumes it is HTTP, not HTTPS. To use HTTPS you must specify it explicitly when typing in the web address. Although we redirect the browser to HTTPS immediately, this one quick handshake is not encrypted and is a potential weak point every time the user goes to the site. So an eavesdropper could potentially redirect your request elsewhere if they were so inclined. If the HTTP link is saved as a bookmark or as a link from another web site this handshake may happen every time you go to our site….
Don’t worry, there is a solution: a HTTP strict transport security (HSTS) header field that instructs the browser to always use HTTPS for this site. If you would like to add this to your own web site you only need to add this simple line to the response from your site:
It is accepted in HTTPS communication only. The max-age parameter specifies how long to remember the rule in seconds (31536000 corresponds to a year). Append ; includeSubDomains at the end to apply the rule for all subdomains as well.
HSTS is supported in current versions of Chrome and Firefox. We hope others will catch up soon.
But wait, there is more! You can also prevent the opening of web pages in iframes. That is a common phishing attack easily triggered via links in emails. To add this… or should I say disallow this … from your web site, simply add this header field to prevent users displaying your pages in iframes:
Setting up for Apache is piece a cake. Just enable the headers mod (requires Apache restart) and set the right headers in the VirtualHost (VHost) section of your site configuration.
Header set Strict-Transport-Security "max-age=31536000" Header set X-Frame-Options "deny"
On the command line it looks like this:
# a2enmod headers Enabling module headers. Run '/etc/init.d/apache2 restart' to activate new configuration! # /etc/init.d/apache2 restart Restarting web server: apache2 Apache/2.2.9 mod_ssl/2.2.9 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server logentries.com:443 (RSA) Enter pass phrase: ************ OK: Pass Phrase Dialog successful.
A simple test with wget shows new headers.
$ wget -Sq https://logentries.com/ HTTP/1.1 200 OK Date: Tue, 03 May 2011 12:28:43 GMT Server: Apache/2.2.9 Vary: Cookie,Accept-Encoding Set-Cookie: csrftoken=98a2e7ededdd003ac14f47d2c81b90cf; Max-Age=31449600; Path=/ Strict-Transport-Security: max-age=31536000 X-Frame-Options: deny Connection: close Content Type: text/html; charset=utf-8
We hope you feel that bit more secure now 🙂