Author Topic: Using noscript to force https ssl links in firefox (Read 27090 times)

mouser · « **on:** March 30, 2009, 11:15 PM »

I was talking to a friend the other day about accessing donationcoder or other sites using SSL (https urls), and how many have a problem where they support ssl but some of the links on the site itself will redirect you to normal http links inadvertently, leading you back to non-secure connection.

It turns out that there are a couple of firefox extensions that can be used to force firefox to always use an https style ssl link on certain websites. That is, it will dynamic adjust all http links to be https (or vice versa) on sites you specify.

The easiest solution is to use the very powerful, actively developed, donation supported "noscript" extension. People who are paranoid about security tend to already have noscript installed so chances are if you care about forcing https you might already have noscript installed, and just not know about this feature.

For more instructions on how to configure noscript to force https, see for example this page.

ghacks · « **Reply #1 on:** March 31, 2009, 03:00 AM »

That's interesting Mouser. You can optimize your code by using a wildcard

f0dder · « **Reply #2 on:** March 31, 2009, 03:02 AM »

If only DC had a SSL cert that didn't make firefox throw hissy fits...

housetier · « **Reply #3 on:** March 31, 2009, 10:49 AM »

ha! very good, I just setup a bunch of sites to be forced to https.

Gothi[c] · « **Reply #4 on:** March 31, 2009, 10:58 AM »

If only DC had a SSL cert that didn't make firefox throw hissy fits...

If only firefox didn't throw hissy fits, extorting money out of people so they would buy ssl certificates

I tend to be the first to applaud security measures, but https is just broken.
It is trying to serve 2 purposes, which should be separate things.

1) making sure you're talking to who you think you are talking to
2) provide encryption

#1 is not possible without having certificate authority bodies (which right now, is a bussiness.) and i'm all for FF throwing hissy fits when you may be talking to an attacker.

However, when all you want is encryption, a self-signed cert is more than fine. The fact that anyone that wants to implement encryption without forking out the money for #1, gets harassed by web browsers, is deterring people from using and/or implementing encryption at all, which is a very very bad thing for security.

f0dder · « **Reply #5 on:** March 31, 2009, 11:22 AM »

I partially agree

IMHO verification is at least as important as encryption.

Perhaps self-signed certs should be allowed without hissy-fits, but there should be a clear visual distinction between self-signed and verified. Problem is that regular users would probably understand even less of that than they do now...

It's unfortunate that there's so many problems with SSL. But technical flaws aside, imho the biggest problem is the careless attitude of some of the CAs... apparently it's way too easy to do a bit of social engineering and get certs that you really shouldn't have.

PS: the security error says the cert is only valid for donationcoder.com - I assume that means it, technically, isn't valid for www.donationcoder.com ?

mouser · « **Reply #6 on:** March 31, 2009, 11:29 AM »

gothic has it right -- and this is one of those things that FF gets very wrong..
to use a self-signed certificate in firefox, which should be a totally reasonable thing to do -- a user has to go through some pretty confusing steps that scare them every step of the way. this is a fail.

it wouldn't be so bad if the non-self-signed ssl certificate syndicate wasn't a giant money extortion racket. it's criminal how much proper wildcard ssl certificates cost.

there needs to be a way to register self-signed certificates so that they treated as trusted.. it wouldn't be so hard.. you'd just need to have someplace(s) trusted where the known owner of a site could provide a signature of the official certificate used on their site. there are so many easy ways to do this.. but i fear it's one of those things that is like free money to these companies.. they have a vested interest in basically blackmailing sites to buy these expensive certificates.

f0dder · « **Reply #7 on:** March 31, 2009, 11:33 AM »

mouser: can't you do self-signed wildcard certs?

Anyway, since the site runs at www.donationcoder.com (and going withouyt www prefix redirects to www.doco), wouldn't it be better to make the cert for www.doco, if you can't make it for *.doco ?

mouser · « **Reply #8 on:** March 31, 2009, 11:47 AM »

f0dder -- everything is (relatively) easy to do with self-signed certificates.
my comment was about the expense of purchasing NON-self-signed wildcard certificates.

f0dder · « **Reply #9 on:** March 31, 2009, 11:53 AM »

f0dder -- everything is (relatively) easy to do with self-signed certificates.
my comment was about the expense of purchasing NON-self-signed wildcard certificates.
-mouser (March 31, 2009, 11:47 AM)

OK

I don't know what the costs are (but probably not cheap) - and I do find it unfortunate that it's such a money machine for the CAs, especially considering how little checking some of them do.

But could you (or gothic?) please make the DC cert a wildcard one, or at least make one for www.doco ? That way FF would bitch less

Shades · « **Reply #10 on:** March 31, 2009, 11:50 PM »

@mouser:
During my "hunting" on the net some three years back, a promising free SSL CA was found. They were really upset by the money grabbing paws of every CA company. But their concept of free cert's for most purposes looked really interesting.

After reading the posts in this thread my memory woke up and went looking for them again. They are still alive and kicking (in Israel of all places). At the time they were busy getting themselves recognized and being included in the default list of CA's from browsers. Don't know how far they got with that nowadays, but maybe they are interesting enough for DonationCoder?

Gothi[c] · « **Reply #11 on:** April 01, 2009, 02:02 PM »

that way FF would bitch less

Not much less

The only reason I haven't even bothered is because ff still makes you do 3 or 4 (haven't counted?) clicks just for a self-signed cert.

Gothi[c] · « **Reply #12 on:** April 01, 2009, 02:03 PM »

In fact, I think it's the same amount of clicks, just a different 'error' msg

f0dder · « **Reply #13 on:** April 01, 2009, 05:34 PM »

Gothic: might be the same amount of clicks, but while I don't have much of a problem accepting a self-signed cert, I would certainly prefer one that actually matches the domain/hosts used

brahman · « **Reply #14 on:** April 30, 2009, 09:30 AM »

Hi Folks,

isn't there a way to change the default behaviour of FF to accept faulty certs? I have been wanting to change that, because right now I simply switch to Opera for these sites.

I also forgot how to set up a site as an exception to be accepted with a faulty cert. Could you tell us how to accomplish that? They made it really confusing and if you don't do it all the time the procedure is just forgotten.

Thanks.

Regards,

Brahman

lanux128 · « **Reply #15 on:** April 30, 2009, 11:30 AM »

isn't there a way to change the default behaviour of FF to accept faulty certs? I have been wanting to change that, because right now I simply switch to Opera for these sites.

I also forgot how to set up a site as an exception to be accepted with a faulty cert. Could you tell us how to accomplish that?
-brahman (April 30, 2009, 09:30 AM)

to change the settings, go to options > advanced > encryption > 'view certificates'. then from the 'certificate manager' dialog, go to 'servers' tab and remove the certs that you don't need.. hth

f0dder · « **Reply #16 on:** April 30, 2009, 04:34 PM »

Ummm... why would you accept faulty certs globally? Isn't that a pretty stupidly insecure thing to do? Do you really visit that many sites with self-signed certs that it's a nuisance to accept certificates per site? O_o

brahman · « **Reply #17 on:** May 01, 2009, 08:53 AM »

@lanux128:
Thanks for your help. You know why I wasn't able to find it?

My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner

!

@f0dder:
It would be. Guess I was not clear: Not accept faulty certs globally, but allow to accept them with a confirmation click (i.e. old FF2 default behaviour is wanted here) instead of going through the rigamarole. But after I found again my "Add Exception" button, I guess that won't be necessary so much any more

.

Regards,

Brahman

lanux128 · « **Reply #18 on:** May 01, 2009, 10:10 PM »

Thanks for your help. You know why I wasn't able to find it? My dpi, resolution, and font settings are a bit unusual, so the box never showed the "Add Exception" button, which is the one I was looking for. I only needed to expand the dialogue size and there it was tucked away on the far right corner
-brahman (May 01, 2009, 08:53 AM)

you're welcome.. it was quite of a procession for me too when i first went looking for it.

brahman · « **Reply #19 on:** May 05, 2009, 10:42 AM »

There is another FF extension which forces HTTPS and has the additional feature of setting SECURE cookies. The authors have a very good paper

on their site explaining a lot of details of how to secure your site and your browser. The use of secure cookies in this process is very important.

Here is the site for "Force HTTPS" extension:
https://crypto.stanford.edu/forcehttps/

and here are the changes I made to the .js file of the extension in the following folder location
..\extensions\[email protected]\defaults\preferences\forcehttps.js
in order to connect to Donationcoder securely:

Spoiler

// Rewriting rules (client-side)
pref("forcehttps.rewriting.rules.^http://(([^/]+[.])?donationcoder[.]com)/",
"https://$1/");

// Full ForceHTTPS cookie protection
pref("forcehttps.blocking.rules.(^|[.])donationcoder[.]com$", true);

// Partial ForceHTTPS cookies (only allowed client-side)
pref("forcehttps.stripcookies.rules.(^|[.])donationcoder[.]com$", true);

If anybody knows a simple way (i.e. not sniffing) of determining if a cookie has been set securely or not, I would appreciate if (s)he could share that information with me.

The use of Force HTTPS seems to be even more secure than noscript because of the secure cookie setting feature.

I have noscript permanently deactivated, because I think it is almost impossible (at least for my surfing habits) to browse the web without the use of java script. So it is too much of a nuisance for me

. FF3.5 will hopefully make the possibility of cross scripting attacks more remote, FWIU.

Regards,

Brahman

mouser · « **Reply #20 on:** May 09, 2009, 12:28 AM »

thanks for the info Brahman, i didn't know anything about secure cookies and now i'm off to learn a bit.