Porygon2 Posted December 7, 2016 Posted December 7, 2016 It's been bothering me that Fuwanovel uses HTTP for the main website and all subdomains (including these forums) and immediately downgrades all secure connections to HTTP via a redirect (301). This is concerning because all requests such as logins, sending session cookies etc. are transmitted in plaintext, making it trivial for a man-in-the-middle attack to steal user credentials (and users tend to re-use those on multiple sites even though they should know better) or hijack sessions, they can read all messages and intercept or modify them at will, including sending the user to their own site while making it appear as fuwa (there are also many other good reasons to switch everything to HTTPS , but these are currently the most pressing issues). To prevent this, HTTPS should be enabled everywhere and should be enforced by enabling HSTS to avoid attacks such as those of sslstrip. (ignore the next paragraph if you already how to fix this issue and just haven't come around to do so yet - though at least the first part shouldn't take very long at all and the second isn't too bad either) One possible solution: Since Fuwanovel already uses Cloudflare, you can fix part of the connection very easily: Go to Cloudflare -> Crypto, set SSL to Flexible (should already be that way, really we want Full (strict), but that might involve more steps on your part, see below), and enable HSTS on all subdomains (hard to go back on, but you shouldn't ever want to go back on it anyways), you also might want to redirect everything to HTTPS one way or another. This fixes the issue for the connection between users and Cloudflare, however the connection between Cloudflare and your servers is still insecure, so make sure your web servers support HTTPS (might involve some tweaking of configurations or proxying in the worst case if your web server doesn't support it) and you have a valid certificate set up (certificates from Let's Encrypt are free and easily automatable, don't see a reason not to use them), then set the Cloudflare SSL setting to Full (strict). Now the connections between Cloudflare and your servers are secure as well. (You could optionally set up Authenticated Origin Pulls to make sure you're only responding to traffic coming through Cloudflare.) Crysis99, Silvz, RimiNishijou and 8 others 11 Quote
Narcosis Posted December 8, 2016 Posted December 8, 2016 It's better to not reveal such information publicly at all; you're giving people ideas. Send a PM to @Tay or @Nayleen instead. Quote
Porygon2 Posted December 8, 2016 Author Posted December 8, 2016 2 minutes ago, Narcosis said: It's better to not reveal such information publicly at all; you're giving people ideas. Send a PM to @Tay or @Nayleen instead. Was going to do that initially, but after double-checking the contact pages, this seemed to be the designated place for such reports and posted here instead. Concerning responsible disclosure: I feel like anyone who's able to pull off a MITM attack will already have recognized that all connections to Fuwanovel are unencrypted just by looking at their browser's address bar or more likely have a program that filters all unencrypted connections automatically, so me stating that the connections are insecure doesn't really change the risk of an attack. Quote
RimiNishijou Posted December 9, 2016 Posted December 9, 2016 Seconded... last I checked it didn't need someone saying "Hey the website sends everything in the clear". Literally looking at the title bar is enough. Then again most Internet forums I see don't use https... I guess what the less technical users don't know... Quote
Kurisu-Chan Posted December 9, 2016 Posted December 9, 2016 Wait, seriously, the website is in HTTP? Good thing i use a completely unrelated password. Quote
RimiNishijou Posted December 9, 2016 Posted December 9, 2016 Isn't that a given...? It even says so on the address bar VS > Good thing i use a completely unrelated password. Yep... Throw away passwords are the best aren't they? Quote
Tay Posted December 10, 2016 Posted December 10, 2016 It's on my list! Thank you for bringing it up. Porygon2 1 Quote
Nayleen Posted December 10, 2016 Posted December 10, 2016 In the progress of moving everything to HTTPS, might get a few Mixed Content warnings in the meantime. Darklord Rooke and RimiNishijou 2 Quote
Nayleen Posted December 10, 2016 Posted December 10, 2016 Most (if not all) pages on the main blog, as well as all content served by the forums should now be delivered through HTTPS. moon.fuwanovel.net is updated yet, simply because I don't know how to. @Tay pls fix. Also toggled a forums setting that user-embedded images should be served from the site instead, let's see how that one affects the site's performance. Porygon2, RimiNishijou, Tay and 1 other 4 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.