Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Extends SSL To Developer-Facing APIs

Posted by timothy on from the scramble-your-bits-please dept.

Orome1 writes "Firesheep's authors can be the satisfied with the gradual migration towards SSL that most of the biggest social networks, search engines, online shops and others have embarked upon since its advent. Google, which has already taken care of its users and encrypted its Web Search, Gmail and Google Docs, has now turned its attention to the APIs used by developers."

34 comments

  1. Re:Public pr0n by Anonymous Coward · · Score: 0

    That always struck me as odd as well. I can't believe Google isn't helping me hide my fetish for lesbian midget fisting.

  2. Re:Public pr0n by Shikaku · · Score: 1, Offtopic

    I don't know what's worse: the fact that people image search porn on Google and want it private using https, or the fact that I had to confirm that lesbian midget fisting is a valid and easily found Google Image search.

  3. No Support For Linux Yet by Anonymous Coward · · Score: 0

    Linux doesn't seem to be supported yet for this plug-in :(

  4. Frist Post by Anonymous Coward · · Score: 0

    But are first posts encrypted?

  5. Re:Public pr0n by Anonymous Coward · · Score: 0

    Definitely the latter.

  6. Good. by mirix · · Score: 1

    Encryption is like bacon. The more the better.

    --
    Sent from my PDP-11
    1. Re:Good. by Malnar · · Score: 2

      Until it clogs your computing arteries?

    2. Re:Good. by Anonymous Coward · · Score: 0

      They should make the whole pig into bacon. Bacon should be the only meat anyone eats. Bacon and beer would give you all the nutrients you need to survive.

    3. Re:Good. by SinShiva · · Score: 1

      encryption is like eggs because we always only seem to have one fully functional option, concurrently

    4. Re:Good. by bemymonkey · · Score: 1

      Yes. Bacon is not only far superior to other meat, but also to salt.

    5. Re:Good. by Migala77 · · Score: 1

      Encryption is like bacon. The more the better.

      That's why I always use ROT-13 twice.

    6. Re:Good. by jgagnon · · Score: 1

      At least your computer dies happy.

      --
      Remember to maintain your supply of /facepalm oil to prevent chafing.
    7. Re:Good. by arndawg · · Score: 1

      Cut the carbs and it won't clog you.

  7. Re:Public pr0n by captain_sweatpants · · Score: 1

    No what's more disturbing is a search for lesbian midget porn mostly returns pictures of soccer players assembled for team photos. What the hell?? Now I'm thinking I should spice up my life a little and join a soccer team!

  8. Re:Public pr0n by MrEricSir · · Score: 3, Funny

    This tells us two things:
    1. You have SafeSearch enabled.
    2. Somewhere, there's a soccer team called the Lesbian Midgets.

    --
    There's no -1 for "I don't get it."
  9. Belt and suspenders by seifried · · Score: 2

    Since we generally can't just shutdown access to port 80 yet (people would just get errors and confused and angry) there are two methods you can use to transition clients to HTTPS. Use HTTP Strict Transport Security which will address newer clients like Chrome, ideally they access your site securely the first time and you essentially tell them "from now on use HTTPS" for a specific amount of time (the longer the better):

    Header set Strict-Transport-Security "max-age=15552000"
    Header append Strict-Transport-Security includeSubDomains

    The second will address current clients, but will not prevent things like firesheep. However it will hopefully result in people bookmarking your site with HTTPS and so on (take the spaces out between the slashes):

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https: / / %{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

    This should also in theory cause any incoming links from sites that generate them dynamically (e.g. search engines) to take the permanent redirect and update their links (so if someone searches for you and clicks on the link it'll be an HTTPS link)

    1. Re:Belt and suspenders by Anonymous Coward · · Score: 0

      And of course I forgot to include a link to http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - posting anon since my karma is just fine

    2. Re:Belt and suspenders by wunderbus · · Score: 3, Informative

      If you're using Java servlets, you can include the following in your web.xml:

      <!-- Redirects all http requests to https. Does not send cookies with the redirect. -->
      <security-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      <web-resource-collection>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      </security-constraint>

      <!-- Prevents the application from appending the session ID to the URL.
      Also makes the session cookie secure-only, so that if the user has
      an active session then makes a regular http request to your site,
      the session cookie won't be sent with that request. -->
      <session-config url-rewriting-enabled="false" cookie-secure="true" />

    3. Re:Belt and suspenders by wunderbus · · Score: 1

      I believe there's also a way to add the HttpOnly flag to your session cookie, but I can't remember what it is. It's not as important as those other configuration settings though--all it does is prevent a certain type of XSS attack from exposing the session cookie, described here: http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

      That said, if your website is open to any form of XSS, you have bigger problems.

    4. Re:Belt and suspenders by Anonymous Coward · · Score: 0

      If you're using Java servlets, you might as well kill yourself from how horrible it is.

    5. Re:Belt and suspenders by Anonymous Coward · · Score: 0

      I try this on my IIS metabase and now all errors from clients. THIS NOT GOOD!!11!
      please To send the codes for correcting the porblem.

  10. Re:Its about time by Anonymous Coward · · Score: 0

    I thought that he got over 9000 accounts.

  11. Re:Its about time by Anonymous Coward · · Score: 0

    pretty scary stuff, but gmail has had an "only use ssl" option for a while. I think it's now default, in the wake of the china/IE incident (which was mostly due to IE sucking ass).

  12. Re:Its about time by Anonymous Coward · · Score: 0

    goatse

  13. Re:Public pr0n by captain_sweatpants · · Score: 1

    This tells us two things:
    1. You have SafeSearch enabled.

    Yes, I did have safe-search set to moderate! I swear I'd turned it off before and it was misleading because the vanilla porn still showed up. Thankfully my search now returns mucho fisting porno. Still a little disappointed at the lack of midgets involved though! Also, I feel like a noob!

    2. Somewhere, there's a soccer team called the Lesbian Midgets.

    Actually Lesbian&Midget&Fisting matches a LOT of soccer teams.

  14. Kosher by MrEricSir · · Score: 1

    You shouldn't use it if you're kosher?

    --
    There's no -1 for "I don't get it."
  15. Goatse link by Anonymous Coward · · Score: 0

    The link takes you to goatse pic. What A nice way to start my day...

  16. and slashdot is still ignoring the problem by xophos · · Score: 4, Interesting

    Typing https://slashdot.org/ just brings you back to http://slashdot.org./
    Is it to hard to do, or does no one care here?

    1. Re:and slashdot is still ignoring the problem by tlhIngan · · Score: 2

      Typing https://slashdot.org/ just brings you back to http://slashdot.org./
      Is it to hard to do, or does no one care here?

      The HTTPS site is for subscribers only - it's a backup in case /. gets so bogged down the regular HTTP bank is unusable. The admins use the HTTPS server, so subs can access the same servers the admins use. That was a few years ago, but I'd guess it's still true today.

      http://news.slashdot.org/story/07/10/22/145209/Slashdots-Setup-Part-2--Software

  17. App Engine As Well by Foresto · · Score: 1

    One of the long-standing shortcomings of App Engine was the lack of server certificate validation in the URL Fetch service. Google apparently took care of that as well.

  18. owaallaa@yahoo.com by Anonymous Coward · · Score: 0

    Read Source:Sexy Chiffon Babydoll H2105 in Purple,Men's Sexy Thong Underwear Leopard Lingerie H2509,Sexy Corset Bustier Lingerie + G-string H2170 Red
    Suddenly he started. From the porter's room, two paces away from him, something shining under the bench to the right caught his eye.... He looked about him- nobody. He approached the room on tiptoe, went down two steps into it and in a faint voice called the porter. "Yes, not at home! Somewhere near though, in the yard, for the door is wide open." He dashed to the axe (it was an axe) and pulled it out from under the bench, where it lay between two chunks of wood; at once before going out, he made it fast in the noose, he thrust both hands into his pockets and went out of the room; no one had noticed him! "When reason fails, the devil helps!" he thought with a strange grin.
     
    Tags:Sexy Lovely Plaid Mini Skirt H2247,Sexy Polyester Bikini Set H2078 in Gold