Security: HTTPS about mathdown HOT 14 CLOSED

Also, https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security would be good.

from mathdown.

re HSTS: http://blog.nvisium.com/2014/04/is-your-site-hsts-enabled.html, https://news.ycombinator.com/item?id=7646215

from mathdown.

• Request a SHA-2 cert: https://kuix.de/blog/index.php?entry=SSL/TLS-servers,-SHA-1/SHA-256-and-StartSSL.com-certificates

from mathdown.

Now works on Heroku: https://mathdown.herokuapp.com. Custom domain SSL requires $20/month.
and on Openshift: https://mathdown-cben.rhcloud.com. Custom domain SSL also costs $20/month and I can't even upgrage my account to pay.

git push to heroku deploys in 50seconds, to rhcloud in ridiculous 13minutes :-(

mathdown.com domain (using it as testbed before switching mathdown.net) is now managed by Cloudflare, CNAMEing to mathdown.herokuapp.com.

Cloudflare offers free SSL certs between it and users but "full SSL strict" validation between it and the heroku/openshift backend fails unless the server presents a cert for the custom domain (mathdown.com).
There seems to be no way to tell them to validate heroku's certificate.
They offer "full SSL" (not strict) / "flexible SSL" modes without validation/encryption to backend but that's snake oil.
I'll probably stay on Clouldflare DNS anyway, don't know yet if I want them as men in the middle.
Cloudflare can't currently support HSTS.

Plan: pay for heroku SSL for now, later investigate just running on $5–10 Digital Ocean (deployed with Terraform and/or docker via tutum.co).
For forks, Heroku button and free HTTPS on foo.herokuapp.com domains is fine.

• Currently server.coffee is logging URLs to stdout, including doc=secret part. Should probably stop. Heroku and Openshift logs are not public, but logs do get around during debugging, containing user secrets is bad idea.

from mathdown.

Forgot to mention wrt initial comment here:

• I need dynamic server for #7 anyway (spiderable docs). Also nice for #59 (pretty mathdown.net/SECRET urls).
• Github pages does nowdays support HTTPS on https://cben.github.io/mathdown/ — but not on custom domains. Clouldflare isn't a gratis solution for the same reason as with heroku.
• I intend to keep ability to run from GH Pages or local checkout (without #7, #59) for trivial fork demoing.

See #57 for more details on moving away from Github pages.

from mathdown.

For the record: any hosting without dedicated IP relies on SNI to present correct cert.
This is generally fine; the main group it leaves in the dark is Android 2.x default browser, and IE8 on XP.
=> I'm fine with SNI.

from mathdown.

Comparing free HTTPS config of Heroku vs OpenShift (aka rhcloud) – at their wildcard cert subdomains:
https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.herokuapp.com&s=23.21.143.20&latest
=> B for "accepts the RC4 cipher, which is weak" (handshake simulation shows RC4 would only be used by IE8 on XP, which won't work due to SNI anyway).
https://www.ssllabs.com/ssltest/analyze.html?d=mathdown-cben.rhcloud.com&latest
=> A despite "Certificate uses a weak signature." (SHA1)

from mathdown.

Yay, https://mathdown.com now works!
Got StartSSL cert for mathdown.com, deployed on Openshift (https://mathdown-cben.rhcloud.com), Cloudflare DNS points to Openshift, working through Cloudflare with "Full SSL (strict)" (= Cloudflare is MITM but is verifying the openshift server presents a valid cert for mathdown.com).

SSLLabs report: https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.com&s=104.28.6.62
surprisingly this shows Fail due to SNI or crypto mismatch for a lot of clients, while the above tests with Heroku/OpenShift's SNI only had 1 or 2 Fails.
And I tried https://mathdown.com on IE8 on XP on Saucelabs, and it worked. Weird, not sure how "real" that XP is.
Crypto mismatch is less suprpising — while Cloudflare as a CDN should want wide interoperability, they did optimize their free TLS implementation.

About Cloudflare

Wait, did I just say Cloudflare are doing Man-In-The-Middle? With HTTPS?!? Yes.
It's a bit bizzare, and only goes to show how unsecure the CA system is.
In Sep 2014 they announced free TLS for everybody.

How does it work?
For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains.

They can do that, without asking me, because by controlling my DNS and can "prove" ownership of the domain. So they made deal with a couple CAs to mint certs for them [see https://news.ycombinator.com/item?id=8382335 for discussions]. The cert in my case:

Alternative names sni39464.cloudflaressl.com *.kagetora.nl *.koloso.be *.linkea.do *.mathdown.com *.mnaz.me *.movieq.biz *.nautilus-jp.com *.r-3.okinawa *.xn--treciwyspis-gfc.pl kagetora.nl koloso.be linkea.do mathdown.com mnaz.me movieq.biz nautilus-jp.com r-3.okinawa xn--treciwyspis-gfc.pl
Issuer COMODO ECC Domain Validation Secure Server CA 2

The technical reason I want them to control my DNS is that they provide free DNS with CNAME at the apex.
Anyway, I have a strong impression Cloudflare are very competent and a force for good.

But will I keep them as CDN, or only as DNS?

• Pro: CDN = caching and latency
  • Con: extra complexity dev/prod parity
  • It seems I'm not serving sensible caching headers, must sort that out first before sprinkling magic CDN dust.
• Pro: they add IPv6 support (Heroku nor Openshift only have IPv4 addresses)

=> I think I'll disable CF as CDN for now.

from mathdown.

About mathdown.com vs mathdown.net:

I started with .com to experiment. Now will get .net certificate, and move .net DNS to Cloudflare.
But I'm not sure if Openshift can serve 2 custom certificates. And StartSSL requires level 2 validation to produce 1 cert with both .com and .net as AltNames. [If a problem, will buy from sslmate]

from mathdown.

Moved .net DNS to cloudflare (still pointing to Github Pages, turned SSL off)
Replaced fixed GH pages A addresses with CNAME ("flattened" by CF) to cben.github.io - works.

from mathdown.

Got also a mathdown.net cert, added to RHcloud* (turned out they support multiple domains with separate certs trivially).

*I've been mostly refering to it as Openshift but to be precise Openshift is the (open source) software and RHcloud is the openshift hosting run by RedHat.

from mathdown.

TODO: intelligent redirects (and/or rel=canonical) http->https, and .com -> .net.

• Want both server-side redirect from server.js and client side for GH Pages https.
• Should look into libs for running same routing logic on client and server.
• Openshift (and probably Heroku) terminate TLS in the reverse proxy; need to check x-forwarding
  [https://help.openshift.com/hc/en-us/articles/203263674-What-external-ports-are-available-on-OpenShift-]

good checklist doc for migration to HTTPS: https://docs.google.com/document/d/1oRXJUIttqQxuxmjj2tgYjj096IKw4Zcw6eAoIKWZ2oQ/edit#

• Verify no mixed-content errors? Currently clean but see if this can ensured in tests.
• HSTS should be possible simply by setting response header.

from mathdown.

I flipped mathdown.net DNS yesterday to RHcloud (yay!) but turns out I miscofigured certs:
https://mathdown.net and https://mathdown.com/ work but with www. they give error:

This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

And similarly:

This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

from mathdown.

Just to conclude: https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.net :-)
Main caveat: This site works only in browsers with SNI support.
Opening new issue(s) for redirects & HSTS followup.

from mathdown.