Google Extends SSL To Developer-Facing APIs

Orome1 writes "Firesheep's authors can be the satisfied with the gradual migration towards SSL that most of the biggest social networks, search engines, online shops and others have embarked upon since its advent. Google, which has already taken care of its users and encrypted its Web Search, Gmail and Google Docs, has now turned its attention to the APIs used by developers."

Re:

[Shikaku]

I don't know what's worse: the fact that people image search porn on Google and want it private using https, or the fact that I had to confirm that lesbian midget fisting is a valid and easily found Google Image search.

Re:

[captain_sweatpants]

No what's more disturbing is a search for lesbian midget porn mostly returns pictures of soccer players assembled for team photos. What the hell?? Now I'm thinking I should spice up my life a little and join a soccer team!

Re:Public pr0n

[MrEricSir]

This tells us two things:
1. You have SafeSearch enabled.
2. Somewhere, there's a soccer team called the Lesbian Midgets.

Re:

[captain_sweatpants]

This tells us two things:
1. You have SafeSearch enabled.

Yes, I did have safe-search set to moderate! I swear I'd turned it off before and it was misleading because the vanilla porn still showed up. Thankfully my search now returns mucho fisting porno. Still a little disappointed at the lack of midgets involved though! Also, I feel like a noob!

2. Somewhere, there's a soccer team called the Lesbian Midgets.

Actually Lesbian&Midget&Fisting matches a LOT of soccer teams.

Good.

[mirix]

Encryption is like bacon. The more the better.

Re:

[Malnar]

Until it clogs your computing arteries?

Re:

[jgagnon]

At least your computer dies happy.

Re:

[arndawg]

Cut the carbs and it won't clog you.

Re:

[bemymonkey]

Yes. Bacon is not only far superior to other meat, but also to salt.

Re:

[SinShiva]

encryption is like eggs because we always only seem to have one fully functional option, concurrently

Kosher

[MrEricSir]

You shouldn't use it if you're kosher?

Re:

[Migala77]

Encryption is like bacon. The more the better.

That's why I always use ROT-13 twice.

Belt and suspenders

[seifried]

Since we generally can't just shutdown access to port 80 yet (people would just get errors and confused and angry) there are two methods you can use to transition clients to HTTPS. Use HTTP Strict Transport Security which will address newer clients like Chrome, ideally they access your site securely the first time and you essentially tell them "from now on use HTTPS" for a specific amount of time (the longer the better):

Header set Strict-Transport-Security "max-age=15552000"
Header append Strict-Transport-Security includeSubDomains

The second will address current clients, but will not prevent things like firesheep. However it will hopefully result in people bookmarking your site with HTTPS and so on (take the spaces out between the slashes):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https: / / %{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

This should also in theory cause any incoming links from sites that generate them dynamically (e.g. search engines) to take the permanent redirect and update their links (so if someone searches for you and clicks on the link it'll be an HTTPS link)

Re:

[wunderbus]

If you're using Java servlets, you can include the following in your web.xml:

<!-- Redirects all http requests to https. Does not send cookies with the redirect. -->
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>

<!-- Prevents the application from appending

Re:

[wunderbus]

I believe there's also a way to add the HttpOnly flag to your session cookie, but I can't remember what it is. It's not as important as those other configuration settings though--all it does is prevent a certain type of XSS attack from exposing the session cookie, described here: http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html [codinghorror.com]

That said, if your website is open to any form of XSS, you have bigger problems.

and slashdot is still ignoring the problem

[xophos]

Typing https://slashdot.org/ [slashdot.org] just brings you back to http://slashdot.org./ [slashdot.org.]
Is it to hard to do, or does no one care here?

Re:

[tlhIngan]

Typing https://slashdot.org/ [slashdot.org] just brings you back to http://slashdot.org./ [slashdot.org.]
Is it to hard to do, or does no one care here?

The HTTPS site is for subscribers only - it's a backup in case /. gets so bogged down the regular HTTP bank is unusable. The admins use the HTTPS server, so subs can access the same servers the admins use. That was a few years ago, but I'd guess it's still true today.

http://news.slashdot.org/story/07/10/22/145209/Slashdots-Setup-Part-2--Software [slashdot.org]

App Engine As Well

[Foresto]

One of the long-standing shortcomings of App Engine was the lack of server certificate validation in the URL Fetch service. Google apparently took care of that [google.com] as well.