Prometheum
2008-12-28, 03:59
Abstract
I present a method for redirecting all plaintext traffic for browsing Totse via HTTP to HTTPS, a version of HTTP which uses SSL encryption. This work can be expanded to allow arbitrary HTTP/HTTPS hybrid sites to be coerced into using HTTPS.
1: Introduction
I first began using https to browse Totse a long time ago for reasons I have since long forgotten. Since then, the only other user I have known to have used HTTPS exclusively is our venerable moderator oddballz, with the possible exception of one user who asked about HTTPS after Jeff Hunter bumped a news item on the front page related to Totse's use of HTTPS. However, I have frequently been linked to totse pages presented in HTTP by members in other channels of communication. While it is easy for me to remember to change to HTTPS (as I have different Totse themes
on each one), others might not be so lucky. Using HTTPS has a number of benefits, including bypassing weak censorship measures, providing anonymity of content, and providing security of login credentials in hostile networks (such as unsecured or wep-encrypted wireless networks or school/universitly/workplace networks). This guide begins with information on installing ForcedHTTPS, continues with a description of the ForceHTTPS configuration system, details an implementation of ForceHTTPS rules for Totse, and concludes with implications and acknowledgements.
2.1: Installing ForcedHTTPS
ForcedHTTPS is implemented as an extension for the popular Free Software (http://fsf.org) browser Mozilla Firefox (http://getfirefox.org). If you do not have Firefox installed, you will need to install it before going on. If you are using a Debian-based system with AptURL installed, simply click here (apt://firefox). If not, refer to your systems documentation as to how to install Firefox.
Once Firefox is installed, navigate to the ForceHTTPS project page (http://forcehttps.com) and click the button labeled "ForcedHTTPS Installer". This will install the addon into Firefox. Restart Firefox afterwards to load the extension.
2.2: About ForceHTTPS
ForceHTTPS defends against threats in two ways: rewriting URL's to select sites to use https instead of http, and by protecting cookies from those sites against access on non-secure sites. For further information about ForceHTTPS, refer to the paper ForceHTTPS:
Protecting High-Security Web Sites from Network Attacks (https://crypto.stanford.edu/forcehttps/forcehttps.pdf), by Colin Jackson and Adam Barth.
2.3: About HTTP vs. HTTPS
The Internet was originally designed as a small network between trusted peers. As such, many protocols which could communicate sensitive information (ftp, remote login, and http) were left in "plaintext", or unobfuscated forms. However, the internet quickly exploded out of ARPA's basement and began proliferating. Now, internet users face phishing, cross-site request forgeries and cross-site scripting exploits, and hostile networks. HTTP, as a "plaintext" protocol, is woefully inadequate for these situations, as any data sent over a plaintext http connection can be trivially read by any third party. HTTPS was developed to grant end-to-end encryption for HTTP users, an absolute necessity for privacy or e-commerce. To use an analogy common to email, HTTP is like a postcard, while HTTPS is like a letter in an envelope. Nobody carrying the envelop can see what is inside it. Only the users on the ends of the stream are capable of obtaining the original plaintext.
3: Configuring ForcedHTTPS for Arbitrary Sites
3.1: An Overview of ForceHTTPS Configuration
While ForceHTTPS is indeed user-configurable, it does not implement a Preferences menu in the Addons Manager window. We will need to head to about:config and enter "forcehttps" as a filter in order to view only forcehttps-related keys.
You will see three main groups here, in the classes forcehttps.blocking.rules, forcehttps.rewriting.rules, and forcehttps.stripcookies.rules. The keys are then in their own subclasses of these classes, with the name of the base class name being a regular expression denoting the site to protect. For instance, to protect example.com from un-encrypted access, one would add keys of these names:
forcehttps.blocking.rules.^example[.]com$
forcehttps.rewriting.rules.^http://example[.]com$
forcehttps.stripcookies.rules.^example[.]com$
For those unfamiliar with regular expressions, the '^' character denotes the beginning of a line, and the '$' character denotes the end of a line. Brackets ("[", "]") are added around periods in the final class name in order to explicitly declare them as the character ".", and not the special regular expression character ".". For further information on regexes, see wikipedia (http://en.wikipedia.org/wiki/Regular_expression).
These keys are presented in the order which they will appear on the page. Keys 1 and 3 are of type "boolean" and should be set to "true" in order for ForceHTTPS to protect the host. Key 2, however, is different.
The second key is of type "string", and denotes what the URL should be transformed to upon a successful match. The use of regular expressions in the class basename allows for elements of the original URL to be
accessed through regular expression memory variables, which will be discussed later. The value of key 2 should be the secure URL. In a simple case such as this, the value would be:
https://example.com
4: Implementations of ForceHTTPS
This section contains instructions and analysis pertaining to specific applications of ForceHTTPS. The sites discussed will be totse.com and Wikipedia, as they provide examples of both simple and complex applications of ForceHTTPS.
4.1: Securing Totse with ForceHTTPS
As discussed previously, securing a site with ForceHTTPS requires three keys to be set. The names of the keys in Totse's case are:
forcehttps.blocking.rules.^www[.]totse[.]com$
forcehttps.rewriting.rules.^http://www[.]totse[.]com/
forcehttps.stripcookies.rules.^www[.]totse[.]com$
The types for keys 1 and 3 should be "boolean", and their values "true". The type of the second key should be "string", and its value should be:
https://www.totse.com/
The configuration will be active immediately. You can test it by loading any http totse page. As Totse uses a self-signed SSL certificate, you will have to "confirm" that the certificate is valid. The proper MD5 and SHA1 fingerprints for Totse's certificate are located here (https://www.totse.com/en/_about/cert.html).
4.2: Applying ForceHTTPS to Wikipedia
Wikipedia is another site for which it makes very good sense to use HTTPS. Wikipedia content has been censored even in first-world "democratic" countries such as the United
Kingdom (http://news.bbc.co.uk/2/hi/uk_news/7770456.stm), and the knowledge on Wikipedia could be deemed "subversive" or "terrorist" by entities. Using HTTPS to access Wikipedia is very prudent, but unlike Totse, Wikipedia does not offer HTTP and HTTPS side-by-side. Instead, it uses a separate secure host located at secure.wikimedia.org. This section outlines how to configure ForceHTTPS
to convert HTTP wikipedia URLs to secure HTTPS URLs. Just because we can, we will block unprotected access to several popular Wikimedia sites: wikibooks, wikinews, wikiversity, wikiquote, and wiktionary.
The most complex element of this configuration is the URL transformation. We must rewrite a URL in the form of
http://en.wikipedia.org/wiki/Totse to a URL in the form of http://en.wikipedia.org/wiki/Totse . To simplify this, let's break the HTTP URL into component parts:
http://<language_code>.<wiki>.org/wiki/<Article_name>
The corresponding URL for the secure server is:
https://secure.wikimedia.org/<wiki>/<language_code>/<Article_name>
This calls for an application of regex variables. Regex variables are
created when a part of a regex is enclosed in parens, and are accessed
by $1, $2, ..., $n in order of appearance. Therefore, our key #2 for
ForceHTTPS wikipedia is:
forcehttps.rewriting.rules.
^http://(.{2})[.]wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org/wiki/(.+)($|/)
with a value of
forcehttps.rewriting.rules.
^http://(.{2})[.]wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org/wiki/(.+)($|/)
(newlines added for cosmetic reasons)
As you can see,
The other two keys are simpler. They are:
forcehttps.blocking.rules.(^|[.])wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org$
forcehttps.stripcookies.rules.(^|[.])wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org$
As always, they are booleans, set to "true".
Visiting arbitrary pages on these Wikimedia projects will now redirect you to the secure URL.
5: Implications and Acknowledgements
5.1: Implications
As has been stated, using https allows for end-to-end security and protection of content. HTTPS can be used to circumvent poorly-configured blocklists and to circumvent dynamic content-inspection filtering systems. While an adversary can see which site a user is connecting to, they are unable to determine what content on the site the user is accessing.
5.2: Acknowledgements
The author would like to thank the authors of ForceHTTPS, Colin Jackson and Adam Barth. The author would also like to thank oddballz, for always using https and saying so any time the author linked a thread using https, and Richard M. Stallman for making freedom possible in the first place.
I present a method for redirecting all plaintext traffic for browsing Totse via HTTP to HTTPS, a version of HTTP which uses SSL encryption. This work can be expanded to allow arbitrary HTTP/HTTPS hybrid sites to be coerced into using HTTPS.
1: Introduction
I first began using https to browse Totse a long time ago for reasons I have since long forgotten. Since then, the only other user I have known to have used HTTPS exclusively is our venerable moderator oddballz, with the possible exception of one user who asked about HTTPS after Jeff Hunter bumped a news item on the front page related to Totse's use of HTTPS. However, I have frequently been linked to totse pages presented in HTTP by members in other channels of communication. While it is easy for me to remember to change to HTTPS (as I have different Totse themes
on each one), others might not be so lucky. Using HTTPS has a number of benefits, including bypassing weak censorship measures, providing anonymity of content, and providing security of login credentials in hostile networks (such as unsecured or wep-encrypted wireless networks or school/universitly/workplace networks). This guide begins with information on installing ForcedHTTPS, continues with a description of the ForceHTTPS configuration system, details an implementation of ForceHTTPS rules for Totse, and concludes with implications and acknowledgements.
2.1: Installing ForcedHTTPS
ForcedHTTPS is implemented as an extension for the popular Free Software (http://fsf.org) browser Mozilla Firefox (http://getfirefox.org). If you do not have Firefox installed, you will need to install it before going on. If you are using a Debian-based system with AptURL installed, simply click here (apt://firefox). If not, refer to your systems documentation as to how to install Firefox.
Once Firefox is installed, navigate to the ForceHTTPS project page (http://forcehttps.com) and click the button labeled "ForcedHTTPS Installer". This will install the addon into Firefox. Restart Firefox afterwards to load the extension.
2.2: About ForceHTTPS
ForceHTTPS defends against threats in two ways: rewriting URL's to select sites to use https instead of http, and by protecting cookies from those sites against access on non-secure sites. For further information about ForceHTTPS, refer to the paper ForceHTTPS:
Protecting High-Security Web Sites from Network Attacks (https://crypto.stanford.edu/forcehttps/forcehttps.pdf), by Colin Jackson and Adam Barth.
2.3: About HTTP vs. HTTPS
The Internet was originally designed as a small network between trusted peers. As such, many protocols which could communicate sensitive information (ftp, remote login, and http) were left in "plaintext", or unobfuscated forms. However, the internet quickly exploded out of ARPA's basement and began proliferating. Now, internet users face phishing, cross-site request forgeries and cross-site scripting exploits, and hostile networks. HTTP, as a "plaintext" protocol, is woefully inadequate for these situations, as any data sent over a plaintext http connection can be trivially read by any third party. HTTPS was developed to grant end-to-end encryption for HTTP users, an absolute necessity for privacy or e-commerce. To use an analogy common to email, HTTP is like a postcard, while HTTPS is like a letter in an envelope. Nobody carrying the envelop can see what is inside it. Only the users on the ends of the stream are capable of obtaining the original plaintext.
3: Configuring ForcedHTTPS for Arbitrary Sites
3.1: An Overview of ForceHTTPS Configuration
While ForceHTTPS is indeed user-configurable, it does not implement a Preferences menu in the Addons Manager window. We will need to head to about:config and enter "forcehttps" as a filter in order to view only forcehttps-related keys.
You will see three main groups here, in the classes forcehttps.blocking.rules, forcehttps.rewriting.rules, and forcehttps.stripcookies.rules. The keys are then in their own subclasses of these classes, with the name of the base class name being a regular expression denoting the site to protect. For instance, to protect example.com from un-encrypted access, one would add keys of these names:
forcehttps.blocking.rules.^example[.]com$
forcehttps.rewriting.rules.^http://example[.]com$
forcehttps.stripcookies.rules.^example[.]com$
For those unfamiliar with regular expressions, the '^' character denotes the beginning of a line, and the '$' character denotes the end of a line. Brackets ("[", "]") are added around periods in the final class name in order to explicitly declare them as the character ".", and not the special regular expression character ".". For further information on regexes, see wikipedia (http://en.wikipedia.org/wiki/Regular_expression).
These keys are presented in the order which they will appear on the page. Keys 1 and 3 are of type "boolean" and should be set to "true" in order for ForceHTTPS to protect the host. Key 2, however, is different.
The second key is of type "string", and denotes what the URL should be transformed to upon a successful match. The use of regular expressions in the class basename allows for elements of the original URL to be
accessed through regular expression memory variables, which will be discussed later. The value of key 2 should be the secure URL. In a simple case such as this, the value would be:
https://example.com
4: Implementations of ForceHTTPS
This section contains instructions and analysis pertaining to specific applications of ForceHTTPS. The sites discussed will be totse.com and Wikipedia, as they provide examples of both simple and complex applications of ForceHTTPS.
4.1: Securing Totse with ForceHTTPS
As discussed previously, securing a site with ForceHTTPS requires three keys to be set. The names of the keys in Totse's case are:
forcehttps.blocking.rules.^www[.]totse[.]com$
forcehttps.rewriting.rules.^http://www[.]totse[.]com/
forcehttps.stripcookies.rules.^www[.]totse[.]com$
The types for keys 1 and 3 should be "boolean", and their values "true". The type of the second key should be "string", and its value should be:
https://www.totse.com/
The configuration will be active immediately. You can test it by loading any http totse page. As Totse uses a self-signed SSL certificate, you will have to "confirm" that the certificate is valid. The proper MD5 and SHA1 fingerprints for Totse's certificate are located here (https://www.totse.com/en/_about/cert.html).
4.2: Applying ForceHTTPS to Wikipedia
Wikipedia is another site for which it makes very good sense to use HTTPS. Wikipedia content has been censored even in first-world "democratic" countries such as the United
Kingdom (http://news.bbc.co.uk/2/hi/uk_news/7770456.stm), and the knowledge on Wikipedia could be deemed "subversive" or "terrorist" by entities. Using HTTPS to access Wikipedia is very prudent, but unlike Totse, Wikipedia does not offer HTTP and HTTPS side-by-side. Instead, it uses a separate secure host located at secure.wikimedia.org. This section outlines how to configure ForceHTTPS
to convert HTTP wikipedia URLs to secure HTTPS URLs. Just because we can, we will block unprotected access to several popular Wikimedia sites: wikibooks, wikinews, wikiversity, wikiquote, and wiktionary.
The most complex element of this configuration is the URL transformation. We must rewrite a URL in the form of
http://en.wikipedia.org/wiki/Totse to a URL in the form of http://en.wikipedia.org/wiki/Totse . To simplify this, let's break the HTTP URL into component parts:
http://<language_code>.<wiki>.org/wiki/<Article_name>
The corresponding URL for the secure server is:
https://secure.wikimedia.org/<wiki>/<language_code>/<Article_name>
This calls for an application of regex variables. Regex variables are
created when a part of a regex is enclosed in parens, and are accessed
by $1, $2, ..., $n in order of appearance. Therefore, our key #2 for
ForceHTTPS wikipedia is:
forcehttps.rewriting.rules.
^http://(.{2})[.]wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org/wiki/(.+)($|/)
with a value of
forcehttps.rewriting.rules.
^http://(.{2})[.]wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org/wiki/(.+)($|/)
(newlines added for cosmetic reasons)
As you can see,
The other two keys are simpler. They are:
forcehttps.blocking.rules.(^|[.])wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org$
forcehttps.stripcookies.rules.(^|[.])wik(tionary|ipedia|inews||iquote|ibooks|iversity)[.]org$
As always, they are booleans, set to "true".
Visiting arbitrary pages on these Wikimedia projects will now redirect you to the secure URL.
5: Implications and Acknowledgements
5.1: Implications
As has been stated, using https allows for end-to-end security and protection of content. HTTPS can be used to circumvent poorly-configured blocklists and to circumvent dynamic content-inspection filtering systems. While an adversary can see which site a user is connecting to, they are unable to determine what content on the site the user is accessing.
5.2: Acknowledgements
The author would like to thank the authors of ForceHTTPS, Colin Jackson and Adam Barth. The author would also like to thank oddballz, for always using https and saying so any time the author linked a thread using https, and Richard M. Stallman for making freedom possible in the first place.