My window to the world

Geekzone gone full HTTPS

By Mauricio Freitas, in , posted: 19-May-2017 10:38

Last night I switched Geekzone (www.geekzone.co.nz) to full HTTPS support. And slowly traffic over SSL is going up (comparing last six hours overnight vs last month).

Up until now we only used SSL for login, registration, private messages and profile pages plus assets (images, CSS and scripts).

Now everything is covered.

I started using SSL many years ago and wanted to have the site fully served over HTTPS for quite a while. Started by enforcing HTTPS on some content-sensitive pages and moving assets to HTTPS domains, including redirects to ensure clients used the correct schema. Last week I deployed an update for Geekzone mobile to make sure it worked on HTTPS and yesterday I did the same on the full desktop version of the site.

Also included in this change is the addition of a "Secure" flag to cookies used on these domains. This ensures cookies only move between the client browser and server when there's a secure connection. If anyone requests http://www.geekzone.co.nz instead of https://www.geekzone.co.nz the server will instruct the browser to redirect to the correct location while the browser knows not to disclose the cookies until the secure connection is established. This is essential to avoid session hijacking (unless of course we talk MITM attacks, of course).

Why have all this trouble for a forum? Because we have lots of industry (telcos mainly but other companies around too) people using the site. Account numbers, PIN and passwords are sometimes sent via our private message system (which has been served using the HTTPS schema for quite a while) so it makes sense to extend this to the whole site.

In addition to this, for the last few months I have been using ThisData to collect, analyse and understand user behaviour around the site, in real-time, to quickly determine if an account could've been compromised. Up until now we were using it in "read mode" and tracking notifications. Last week I changed the webhook/API to actually start closing sessions and blocking IP addresses if a user confirms a breach occurred.

ThisData receives millions of transactions reports (login, logout, forum post, message sent, message read, password change, new registration, avatar change, invalid password, etc) from us every month and uses machine learning to observe and assign a "risk" to each transaction. Based on this risk result our forum software can take different actions to protect our users - like the ones I described in the previous paragraph.

I have also added a Geekzone ruleset to the HTTPS Everywhere project. This ensures that browsers using the HTTPS Everywhere add-ons will know to use the HTTPS schema instead of HTTP even if the source explicitly refer to the HTTP version (including references to any Geekzone resource served in non-Geekzone pages). This is important because Cloudflare also uses the same ruleset when doing the automatic HTTPS upgrade for some of their millions of clients around the Internet.

We also use other platforms to prevent spammers and scammers joining the site. One or another can sometimes get past all this protection but our moderator team is pretty quick to act and our community is really good at reporting suspicious behaviour.

There are lots more to be done, for sure. But it feels good when all this falls into place.

Update 20 May: Added HSTS headers now, site listing update on HTTPSWatch NZ.

Other related posts:
Google crawling Geekzone HTTPS
Google Chrome cache performance
Geekzone experience using Pingdom RUM






comments powered by Disqus

freitasm's profile

Mauricio Freitas
Wellington
New Zealand


I live in New Zealand and my interests include mobile devices, good books, movies and food of course! 

I'm the Geekzone admin. On Geekzone we publish news, reviews and articles on technology topics. The site also has some busy forums. Also worth visiting is TravelTalk NZ, a community for travelers!

Subscribe now to my blog RSS feed or the Geekzone RSS feed.

If you want to contact me, please use this page or email me freitasm@geekzone.co.nz. Note this email is not for technical support. I don't give technical support. You can use our Geekzone Forums for community discussions on technical issues.

Here's is my full disclosure post.

A couple of blog posts you should read:


Social networks presence

View Mauricio Freitas's profile on LinkedIn


My Blog by tags...

Blog...
Entrepreneurship...
Media...
Personal...
State of Browsers...
Technology...
Viral Marketing...
Web Performance Optimization...
Windows...
Windows Phone...

Other recent posts in my blog

Google crawling Geekzone HTTPS...
Microsoft Ignite New Zealand, ...
If the headlines indicate the ...
Geekzone data analytics with P...
State of browsers Geekzone Mar...
2Cheap Cars discussion...
Now with more fibre...
Unlimited is not unlimited: Vo...
How bad is Vodafone cable at t...
Frustrated with Microsoft Fami...

New posts on Geekzone