Up until now we only used SSL for login, registration, private messages and profile pages plus assets (images, CSS and scripts).
Now everything is covered.
I started using SSL many years ago and wanted to have the site fully served over HTTPS for quite a while. Started by enforcing HTTPS on some content-sensitive pages and moving assets to HTTPS domains, including redirects to ensure clients used the correct schema. Last week I deployed an update for Geekzone mobile to make sure it worked on HTTPS and yesterday I did the same on the full desktop version of the site.
Also included in this change is the addition of a "Secure" flag to cookies used on these domains. This ensures cookies only move between the client browser and server when there's a secure connection. If anyone requests http://www.geekzone.co.nz instead of https://www.geekzone.co.nz the server will instruct the browser to redirect to the correct location while the browser knows not to disclose the cookies until the secure connection is established. This is essential to avoid session hijacking (unless of course we talk MITM attacks, of course).
Why have all this trouble for a forum? Because we have lots of industry (telcos mainly but other companies around too) people using the site. Account numbers, PIN and passwords are sometimes sent via our private message system (which has been served using the HTTPS schema for quite a while) so it makes sense to extend this to the whole site.
In addition to this, for the last few months I have been using ThisData to collect, analyse and understand user behaviour around the site, in real-time, to quickly determine if an account could've been compromised. Up until now we were using it in "read mode" and tracking notifications. Last week I changed the webhook/API to actually start closing sessions and blocking IP addresses if a user confirms a breach occurred.
ThisData receives millions of transactions reports (login, logout, forum post, message sent, message read, password change, new registration, avatar change, invalid password, etc) from us every month and uses machine learning to observe and assign a "risk" to each transaction. Based on this risk result our forum software can take different actions to protect our users - like the ones I described in the previous paragraph.
I have also added a Geekzone ruleset to the HTTPS Everywhere project. This ensures that browsers using the HTTPS Everywhere add-ons will know to use the HTTPS schema instead of HTTP even if the source explicitly refer to the HTTP version (including references to any Geekzone resource served in non-Geekzone pages). This is important because Cloudflare also uses the same ruleset when doing the automatic HTTPS upgrade for some of their millions of clients around the Internet.
We also use other platforms to prevent spammers and scammers joining the site. One or another can sometimes get past all this protection but our moderator team is pretty quick to act and our community is really good at reporting suspicious behaviour.
There are lots more to be done, for sure. But it feels good when all this falls into place.
comments powered by Disqus