Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Extends SSL To Developer-Facing APIs

Posted by timothy on from the scramble-your-bits-please dept.

Orome1 writes "Firesheep's authors can be the satisfied with the gradual migration towards SSL that most of the biggest social networks, search engines, online shops and others have embarked upon since its advent. Google, which has already taken care of its users and encrypted its Web Search, Gmail and Google Docs, has now turned its attention to the APIs used by developers."

6 of 34 comments (clear)

  1. Re:Good. by Malnar · · Score: 2

    Until it clogs your computing arteries?

  2. Re:Public pr0n by MrEricSir · · Score: 3, Funny

    This tells us two things:
    1. You have SafeSearch enabled.
    2. Somewhere, there's a soccer team called the Lesbian Midgets.

    --
    There's no -1 for "I don't get it."
  3. Belt and suspenders by seifried · · Score: 2

    Since we generally can't just shutdown access to port 80 yet (people would just get errors and confused and angry) there are two methods you can use to transition clients to HTTPS. Use HTTP Strict Transport Security which will address newer clients like Chrome, ideally they access your site securely the first time and you essentially tell them "from now on use HTTPS" for a specific amount of time (the longer the better):

    Header set Strict-Transport-Security "max-age=15552000"
    Header append Strict-Transport-Security includeSubDomains

    The second will address current clients, but will not prevent things like firesheep. However it will hopefully result in people bookmarking your site with HTTPS and so on (take the spaces out between the slashes):

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https: / / %{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

    This should also in theory cause any incoming links from sites that generate them dynamically (e.g. search engines) to take the permanent redirect and update their links (so if someone searches for you and clicks on the link it'll be an HTTPS link)

    1. Re:Belt and suspenders by wunderbus · · Score: 3, Informative

      If you're using Java servlets, you can include the following in your web.xml:

      <!-- Redirects all http requests to https. Does not send cookies with the redirect. -->
      <security-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      <web-resource-collection>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      </security-constraint>

      <!-- Prevents the application from appending the session ID to the URL.
      Also makes the session cookie secure-only, so that if the user has
      an active session then makes a regular http request to your site,
      the session cookie won't be sent with that request. -->
      <session-config url-rewriting-enabled="false" cookie-secure="true" />

  4. and slashdot is still ignoring the problem by xophos · · Score: 4, Interesting

    Typing https://slashdot.org/ just brings you back to http://slashdot.org./
    Is it to hard to do, or does no one care here?

    1. Re:and slashdot is still ignoring the problem by tlhIngan · · Score: 2

      Typing https://slashdot.org/ just brings you back to http://slashdot.org./
      Is it to hard to do, or does no one care here?

      The HTTPS site is for subscribers only - it's a backup in case /. gets so bogged down the regular HTTP bank is unusable. The admins use the HTTPS server, so subs can access the same servers the admins use. That was a few years ago, but I'd guess it's still true today.

      http://news.slashdot.org/story/07/10/22/145209/Slashdots-Setup-Part-2--Software