Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Extends SSL To Developer-Facing APIs

Posted by timothy on from the scramble-your-bits-please dept.

Orome1 writes "Firesheep's authors can be the satisfied with the gradual migration towards SSL that most of the biggest social networks, search engines, online shops and others have embarked upon since its advent. Google, which has already taken care of its users and encrypted its Web Search, Gmail and Google Docs, has now turned its attention to the APIs used by developers."

18 of 34 comments (clear)

  1. Re:Public pr0n by Shikaku · · Score: 1, Offtopic

    I don't know what's worse: the fact that people image search porn on Google and want it private using https, or the fact that I had to confirm that lesbian midget fisting is a valid and easily found Google Image search.

  2. Good. by mirix · · Score: 1

    Encryption is like bacon. The more the better.

    --
    Sent from my PDP-11
    1. Re:Good. by Malnar · · Score: 2

      Until it clogs your computing arteries?

    2. Re:Good. by SinShiva · · Score: 1

      encryption is like eggs because we always only seem to have one fully functional option, concurrently

    3. Re:Good. by bemymonkey · · Score: 1

      Yes. Bacon is not only far superior to other meat, but also to salt.

    4. Re:Good. by Migala77 · · Score: 1

      Encryption is like bacon. The more the better.

      That's why I always use ROT-13 twice.

    5. Re:Good. by jgagnon · · Score: 1

      At least your computer dies happy.

      --
      Remember to maintain your supply of /facepalm oil to prevent chafing.
    6. Re:Good. by arndawg · · Score: 1

      Cut the carbs and it won't clog you.

  3. Re:Public pr0n by captain_sweatpants · · Score: 1

    No what's more disturbing is a search for lesbian midget porn mostly returns pictures of soccer players assembled for team photos. What the hell?? Now I'm thinking I should spice up my life a little and join a soccer team!

  4. Re:Public pr0n by MrEricSir · · Score: 3, Funny

    This tells us two things:
    1. You have SafeSearch enabled.
    2. Somewhere, there's a soccer team called the Lesbian Midgets.

    --
    There's no -1 for "I don't get it."
  5. Belt and suspenders by seifried · · Score: 2

    Since we generally can't just shutdown access to port 80 yet (people would just get errors and confused and angry) there are two methods you can use to transition clients to HTTPS. Use HTTP Strict Transport Security which will address newer clients like Chrome, ideally they access your site securely the first time and you essentially tell them "from now on use HTTPS" for a specific amount of time (the longer the better):

    Header set Strict-Transport-Security "max-age=15552000"
    Header append Strict-Transport-Security includeSubDomains

    The second will address current clients, but will not prevent things like firesheep. However it will hopefully result in people bookmarking your site with HTTPS and so on (take the spaces out between the slashes):

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https: / / %{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

    This should also in theory cause any incoming links from sites that generate them dynamically (e.g. search engines) to take the permanent redirect and update their links (so if someone searches for you and clicks on the link it'll be an HTTPS link)

    1. Re:Belt and suspenders by wunderbus · · Score: 3, Informative

      If you're using Java servlets, you can include the following in your web.xml:

      <!-- Redirects all http requests to https. Does not send cookies with the redirect. -->
      <security-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      <web-resource-collection>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      </security-constraint>

      <!-- Prevents the application from appending the session ID to the URL.
      Also makes the session cookie secure-only, so that if the user has
      an active session then makes a regular http request to your site,
      the session cookie won't be sent with that request. -->
      <session-config url-rewriting-enabled="false" cookie-secure="true" />

    2. Re:Belt and suspenders by wunderbus · · Score: 1

      I believe there's also a way to add the HttpOnly flag to your session cookie, but I can't remember what it is. It's not as important as those other configuration settings though--all it does is prevent a certain type of XSS attack from exposing the session cookie, described here: http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

      That said, if your website is open to any form of XSS, you have bigger problems.

  6. Re:Public pr0n by captain_sweatpants · · Score: 1

    This tells us two things:
    1. You have SafeSearch enabled.

    Yes, I did have safe-search set to moderate! I swear I'd turned it off before and it was misleading because the vanilla porn still showed up. Thankfully my search now returns mucho fisting porno. Still a little disappointed at the lack of midgets involved though! Also, I feel like a noob!

    2. Somewhere, there's a soccer team called the Lesbian Midgets.

    Actually Lesbian&Midget&Fisting matches a LOT of soccer teams.

  7. Kosher by MrEricSir · · Score: 1

    You shouldn't use it if you're kosher?

    --
    There's no -1 for "I don't get it."
  8. and slashdot is still ignoring the problem by xophos · · Score: 4, Interesting

    Typing https://slashdot.org/ just brings you back to http://slashdot.org./
    Is it to hard to do, or does no one care here?

    1. Re:and slashdot is still ignoring the problem by tlhIngan · · Score: 2

      Typing https://slashdot.org/ just brings you back to http://slashdot.org./
      Is it to hard to do, or does no one care here?

      The HTTPS site is for subscribers only - it's a backup in case /. gets so bogged down the regular HTTP bank is unusable. The admins use the HTTPS server, so subs can access the same servers the admins use. That was a few years ago, but I'd guess it's still true today.

      http://news.slashdot.org/story/07/10/22/145209/Slashdots-Setup-Part-2--Software

  9. App Engine As Well by Foresto · · Score: 1

    One of the long-standing shortcomings of App Engine was the lack of server certificate validation in the URL Fetch service. Google apparently took care of that as well.