Welcome Guest.   Make a donation to an author on the site November 24, 2014, 06:30:56 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Read the Practical Guide to DonationCoder.com Forum Search Features
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Using noscript to force https ssl links in firefox  (Read 11953 times)
mouser
First Author
Administrator
*****
Posts: 33,693



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: March 30, 2009, 11:15:55 PM »

I was talking to a friend the other day about accessing donationcoder or other sites using SSL (https urls), and how many have a problem where they support ssl but some of the links on the site itself will redirect you to normal http links inadvertently, leading you back to non-secure connection.

It turns out that there are a couple of firefox extensions that can be used to force firefox to always use an https style ssl link on certain websites.  That is, it will dynamic adjust all http links to be https (or vice versa) on sites you specify.

The easiest solution is to use the very powerful, actively developed, donation supported "noscript" extension.  People who are paranoid about security tend to already have noscript installed so chances are if you care about forcing https you might already have noscript installed, and just not know about this feature.

For more instructions on how to configure noscript to force https, see for example this page.

« Last Edit: March 31, 2009, 12:13:59 AM by mouser » Logged
ghacks
Honorary Member
**
Posts: 49


View Profile Give some DonationCredits to this forum member
« Reply #1 on: March 31, 2009, 03:00:53 AM »

That's interesting Mouser. You can optimize your code by using a wildcard smiley
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: March 31, 2009, 03:02:45 AM »

If only DC had a SSL cert that didn't make firefox throw hissy fits...
Logged

- carpe noctem
housetier
Charter Honorary Member
***
Posts: 1,321


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #3 on: March 31, 2009, 10:49:03 AM »

ha! very good, I just setup a bunch of sites to be forced to https.
Logged
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 857



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #4 on: March 31, 2009, 10:58:55 AM »

Quote
If only DC had a SSL cert that didn't make firefox throw hissy fits...

If only firefox didn't throw hissy fits, extorting money out of people so they would buy ssl certificates smiley

I tend to be the first to applaud security measures, but https is just broken.
It is trying to serve 2 purposes, which should be separate things.

1) making sure you're talking to who you think you are talking to
2) provide encryption

#1 is not possible without having certificate authority bodies (which right now, is a bussiness.) and i'm all for FF throwing hissy fits when you may be talking to an attacker.

However, when all you want is encryption, a self-signed cert is more than fine. The fact that anyone that wants to implement encryption without forking out the money for #1, gets harassed by web browsers, is deterring people from using and/or implementing encryption at all, which is a very very bad thing for security.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: March 31, 2009, 11:22:33 AM »

I partially agree smiley

IMHO verification is at least as important as encryption.

Perhaps self-signed certs should be allowed without hissy-fits, but there should be a clear visual distinction between self-signed and verified. Problem is that regular users would probably understand even less of that than they do now...

It's unfortunate that there's so many problems with SSL. But technical flaws aside, imho the biggest problem is the careless attitude of some of the CAs... apparently it's way too easy to do a bit of social engineering and get certs that you really shouldn't have.

PS: the security error says the cert is only valid for donationcoder.com - I assume that means it, technically, isn't valid for www.donationcoder.com ?
Logged

- carpe noctem
mouser
First Author
Administrator
*****
Posts: 33,693



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: March 31, 2009, 11:29:00 AM »

gothic has it right -- and this is one of those things that FF gets very wrong..
to use a self-signed certificate in firefox, which should be a totally reasonable thing to do -- a user has to go through some pretty confusing steps that scare them every step of the way.  this is a fail.

it wouldn't be so bad if the non-self-signed ssl certificate syndicate wasn't a giant money extortion racket.  it's criminal how much proper wildcard ssl certificates cost.

there needs to be a way to register self-signed certificates so that they treated as trusted.. it wouldn't be so hard.. you'd just need to have someplace(s) trusted where the known owner of a site could provide a signature of the official certificate used on their site.  there are so many easy ways to do this.. but i fear it's one of those things that is like free money to these companies.. they have a vested interest in basically blackmailing sites to buy these expensive certificates.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: March 31, 2009, 11:33:21 AM »

mouser: can't you do self-signed wildcard certs?

Anyway, since the site runs at www.donationcoder.com (and going withouyt www prefix redirects to www.doco), wouldn't it be better to make the cert for www.doco, if you can't make it for *.doco ?
Logged

- carpe noctem
mouser
First Author
Administrator
*****
Posts: 33,693



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: March 31, 2009, 11:47:05 AM »

f0dder -- everything is (relatively) easy to do with self-signed certificates.
my comment was about the expense of purchasing NON-self-signed wildcard certificates.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: March 31, 2009, 11:53:15 AM »

f0dder -- everything is (relatively) easy to do with self-signed certificates.
my comment was about the expense of purchasing NON-self-signed wildcard certificates.
OK smiley

I don't know what the costs are (but probably not cheap) - and I do find it unfortunate that it's such a money machine for the CAs, especially considering how little checking some of them do.

But could you (or gothic?) please make the DC cert a wildcard one, or at least make one for www.doco ? That way FF would bitch less smiley
Logged

- carpe noctem
Shades
Member
**
Posts: 1,682


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: March 31, 2009, 11:50:27 PM »

@mouser:
During my "hunting" on the net some three years back, a promising free SSL CA was found. They were really upset by the money grabbing paws of every CA company. But their concept of free cert's for most purposes looked really interesting.

After reading the posts in this thread my memory woke up and went looking for them again. They are still alive and kicking (in Israel of all places). At the time they were busy getting themselves recognized and being included in the default list of CA's from browsers. Don't know how far they got with that nowadays, but maybe they are interesting enough for DonationCoder?
Logged
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 857



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #11 on: April 01, 2009, 02:02:38 PM »

Quote
that way FF would bitch less
Not much less smiley The only reason I haven't even bothered is because ff still makes you do 3 or 4 (haven't counted?) clicks just for a self-signed cert.
Logged
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 857



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #12 on: April 01, 2009, 02:03:22 PM »

In fact, I think it's the same amount of clicks, just a different 'error' msg
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: April 01, 2009, 05:34:20 PM »

Gothic: might be the same amount of clicks, but while I don't have much of a problem accepting a self-signed cert, I would certainly prefer one that actually matches the domain/hosts used smiley
Logged

- carpe noctem
brahman
Supporting Member
**
Posts: 132


View Profile Give some DonationCredits to this forum member
« Reply #14 on: April 30, 2009, 09:30:48 AM »

Hi Folks,

isn't there a way to change the default behaviour of FF to accept faulty certs? I have been wanting to change that, because right now I simply switch to Opera for these sites.

I also forgot how to set up a site as an exception to be accepted with a faulty cert. Could you tell us how to accomplish that? They made it really confusing and if you don't do it all the time the procedure is just forgotten.

Thanks.

Regards,

Brahman
Logged

Regards, Brahman
lanux128
Global Moderator
*****
Posts: 6,133



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #15 on: April 30, 2009, 11:30:42 AM »

isn't there a way to change the default behaviour of FF to accept faulty certs? I have been wanting to change that, because right now I simply switch to Opera for these sites.

I also forgot how to set up a site as an exception to be accepted with a faulty cert. Could you tell us how to accomplish that?

to change the settings, go to options > advanced > encryption > 'view certificates'. then from the 'certificate manager' dialog, go to 'servers' tab and remove the certs that you don't need.. hth

Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: April 30, 2009, 04:34:56 PM »

Ummm... why would you accept faulty certs globally? Isn't that a pretty stupidly insecure thing to do? Do you really visit that many sites with self-signed certs that it's a nuisance to accept certificates per site? O_o
Logged

- carpe noctem
brahman
Supporting Member
**
Posts: 132


View Profile Give some DonationCredits to this forum member
« Reply #17 on: May 01, 2009, 08:53:30 AM »

@lanux128:
Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner Grin!

@f0dder:
It would be. Guess I was not clear: Not accept faulty certs globally, but allow to accept them with a confirmation click (i.e. old FF2 default behaviour is wanted here) instead of going through the rigamarole. But after I found again my "Add Exception" button, I guess that won't be necessary so much any more Thmbsup.

Regards,

Brahman
« Last Edit: May 01, 2009, 09:04:22 AM by brahman » Logged

Regards, Brahman
lanux128
Global Moderator
*****
Posts: 6,133



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: May 01, 2009, 10:10:45 PM »

Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner

you're welcome.. it was quite of a procession for me too when i first went looking for it. smiley
Logged

brahman
Supporting Member
**
Posts: 132


View Profile Give some DonationCredits to this forum member
« Reply #19 on: May 05, 2009, 10:42:01 AM »

There is another FF extension which forces HTTPS and has the additional feature of setting SECURE cookies. The authors have a very good paper  thumbs up on their site explaining a lot of details of how to secure your site and your browser. The use of secure cookies in this process is very important.

Here is the site for "Force HTTPS" extension:
https://crypto.stanford.edu/forcehttps/

and here are the changes I made to the .js file of the extension in the following folder location
..\extensions\forcehttps@stanford.edu\defaults\preferences\forcehttps.js
in order to connect to Donationcoder securely:


If anybody knows a simple way (i.e. not sniffing) of determining if a cookie has been set securely or not, I would appreciate if (s)he could share that information with me.

The use of Force HTTPS seems to be even more secure than noscript because of the secure cookie setting feature.

I have noscript permanently deactivated, because I think it is almost impossible (at least for my surfing habits) to browse the web without the use of java script. So it is too much of a nuisance for me  huh. FF3.5 will hopefully make the possibility of cross scripting attacks more remote, FWIU.

Regards,

Brahman
« Last Edit: May 05, 2009, 10:43:38 AM by brahman » Logged

Regards, Brahman
mouser
First Author
Administrator
*****
Posts: 33,693



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #20 on: May 09, 2009, 12:28:44 AM »

thanks for the info Brahman, i didn't know anything about secure cookies and now i'm off to learn a bit.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.045s | Server load: 0.13 ]