Security: HTTPS

[cben]

Github pages doesn't serve HTTPS with a valid certificate.

• register mathdown.{com,net}
• get a cert (StartSSL offer free ones, and cheap recursive ones — which might come in handy for staging new versions / forks etc.)
• find free/cheap hosting with easy deploy from github.

P.S. Cloud9 workspaces like https://c9.io/cben/codemirror-mathjax/workspace/demo.html support HTML. Great for editing / sending others a demo, not good enough for the main site.

---

It's tempting to use #xyz (as in Firebase demo) instead of ?doc=xyz,
so that secret document ids are not sent in the plain (they'd only be sent to Firebase over https).
But this doesn't really make HTTP hosting OK — a man in the middle can easily inject malicious JS that would leak the document id.
A stronger point is that ?doc=xyz would be stored on server's log, even with HTTPS. Not sure it's evil, collecting URL-level statistics is standard and useful.

What's more important, I want ?doc=xyz to preserve disting documents having distinct URLs from search engine POV. I'd use /xyz but then I'd need .htaccess or similar.
And I want to use #heading for linking to # Heading inside doc (#5).

[cben]

Also, https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security would be good.

[cben]

re HSTS: http://blog.nvisium.com/2014/04/is-your-site-hsts-enabled.html, https://news.ycombinator.com/item?id=7646215

[cben]

• Request a SHA-2 cert: https://kuix.de/blog/index.php?entry=SSL/TLS-servers,-SHA-1/SHA-256-and-StartSSL.com-certificates

[cben]

Now works on Heroku: https://mathdown.herokuapp.com. Custom domain SSL requires $20/month.
and on Openshift: https://mathdown-cben.rhcloud.com. Custom domain SSL also costs $20/month and I can't even upgrage my account to pay.

git push to heroku deploys in 50seconds, to rhcloud in ridiculous 13minutes :-(

mathdown.com domain (using it as testbed before switching mathdown.net) is now managed by Cloudflare, CNAMEing to mathdown.herokuapp.com.

Cloudflare offers free SSL certs between it and users but "full SSL strict" validation between it and the heroku/openshift backend fails unless the server presents a cert for the custom domain (mathdown.com).
There seems to be no way to tell them to validate heroku's certificate.
They offer "full SSL" (not strict) / "flexible SSL" modes without validation/encryption to backend but that's snake oil.
I'll probably stay on Clouldflare DNS anyway, don't know yet if I want them as men in the middle.
Cloudflare can't currently support HSTS.

Plan: pay for heroku SSL for now, later investigate just running on $5–10 Digital Ocean (deployed with Terraform and/or docker via tutum.co).
For forks, Heroku button and free HTTPS on foo.herokuapp.com domains is fine.

• Currently server.coffee is logging URLs to stdout, including doc=secret part. Should probably stop. Heroku and Openshift logs are not public, but logs do get around during debugging, containing user secrets is bad idea.

[cben]

Forgot to mention wrt initial comment here:

• I need dynamic server for Spiderable documents (content in HTTP response) #7 anyway (spiderable docs). Also nice for Pretty URLs: mathdown.net/foobar #59 (pretty mathdown.net/SECRET urls).
• Github pages does nowdays support HTTPS on https://cben.github.io/mathdown/ — but not on custom domains. Clouldflare isn't a gratis solution for the same reason as with heroku.
• I intend to keep ability to run from GH Pages or local checkout (without Spiderable documents (content in HTTP response) #7, Pretty URLs: mathdown.net/foobar #59) for trivial fork demoing.

See #57 for more details on moving away from Github pages.

[cben]

For the record: any hosting without dedicated IP relies on SNI to present correct cert.
This is generally fine; the main group it leaves in the dark is Android 2.x default browser, and IE8 on XP.
=> I'm fine with SNI.

[cben]

Comparing free HTTPS config of Heroku vs OpenShift (aka rhcloud) – at their wildcard cert subdomains:
https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.herokuapp.com&s=23.21.143.20&latest
=> B for "accepts the RC4 cipher, which is weak" (handshake simulation shows RC4 would only be used by IE8 on XP, which won't work due to SNI anyway).
https://www.ssllabs.com/ssltest/analyze.html?d=mathdown-cben.rhcloud.com&latest
=> A despite "Certificate uses a weak signature." (SHA1)

[cben]

Yay, https://mathdown.com now works!
Got StartSSL cert for mathdown.com, deployed on Openshift (https://mathdown-cben.rhcloud.com), Cloudflare DNS points to Openshift, working through Cloudflare with "Full SSL (strict)" (= Cloudflare is MITM but is verifying the openshift server presents a valid cert for mathdown.com).

SSLLabs report: https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.com&s=104.28.6.62
surprisingly this shows Fail due to SNI or crypto mismatch for a lot of clients, while the above tests with Heroku/OpenShift's SNI only had 1 or 2 Fails.
And I tried https://mathdown.com on IE8 on XP on Saucelabs, and it worked. Weird, not sure how "real" that XP is.
Crypto mismatch is less suprpising — while Cloudflare as a CDN should want wide interoperability, they did optimize their free TLS implementation.

About Cloudflare

Wait, did I just say Cloudflare are doing Man-In-The-Middle? With HTTPS?!? Yes.
It's a bit bizzare, and only goes to show how unsecure the CA system is.
In Sep 2014 they announced free TLS for everybody.

How does it work?
For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains.

They can do that, without asking me, because by controlling my DNS and can "prove" ownership of the domain. So they made deal with a couple CAs to mint certs for them [see https://news.ycombinator.com/item?id=8382335 for discussions]. The cert in my case:

Alternative names sni39464.cloudflaressl.com *.kagetora.nl *.koloso.be *.linkea.do *.mathdown.com *.mnaz.me *.movieq.biz *.nautilus-jp.com *.r-3.okinawa *.xn--treciwyspis-gfc.pl kagetora.nl koloso.be linkea.do mathdown.com mnaz.me movieq.biz nautilus-jp.com r-3.okinawa xn--treciwyspis-gfc.pl
Issuer COMODO ECC Domain Validation Secure Server CA 2

The technical reason I want them to control my DNS is that they provide free DNS with CNAME at the apex.
Anyway, I have a strong impression Cloudflare are very competent and a force for good.

But will I keep them as CDN, or only as DNS?

• Pro: CDN = caching and latency
  • Con: extra complexity dev/prod parity
  • It seems I'm not serving sensible caching headers, must sort that out first before sprinkling magic CDN dust.
• Pro: they add IPv6 support (Heroku nor Openshift only have IPv4 addresses)

=> I think I'll disable CF as CDN for now.

[cben]

About mathdown.com vs mathdown.net:

I started with .com to experiment. Now will get .net certificate, and move .net DNS to Cloudflare.
But I'm not sure if Openshift can serve 2 custom certificates. And StartSSL requires level 2 validation to produce 1 cert with both .com and .net as AltNames. [If a problem, will buy from sslmate]

[cben]

Moved .net DNS to cloudflare (still pointing to Github Pages, turned SSL off)
Replaced fixed GH pages A addresses with CNAME ("flattened" by CF) to cben.github.io - works.

[cben]

Got also a mathdown.net cert, added to RHcloud* (turned out they support multiple domains with separate certs trivially).

*I've been mostly refering to it as Openshift but to be precise Openshift is the (open source) software and RHcloud is the openshift hosting run by RedHat.

[cben]

TODO: intelligent redirects (and/or rel=canonical) http->https, and .com -> .net.

• Want both server-side redirect from server.js and client side for GH Pages https.
• Should look into libs for running same routing logic on client and server.
• Openshift (and probably Heroku) terminate TLS in the reverse proxy; need to check x-forwarding
  [https://help.openshift.com/hc/en-us/articles/203263674-What-external-ports-are-available-on-OpenShift-]

good checklist doc for migration to HTTPS: https://docs.google.com/document/d/1oRXJUIttqQxuxmjj2tgYjj096IKw4Zcw6eAoIKWZ2oQ/edit#

• Verify no mixed-content errors? Currently clean but see if this can ensured in tests.
• HSTS should be possible simply by setting response header.

[cben]

I flipped mathdown.net DNS yesterday to RHcloud (yay!) but turns out I miscofigured certs:
https://mathdown.net and https://mathdown.com/ work but with www. they give error:

This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

And similarly:

This server could not prove that it is www.mathdown.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

[cben]

Just to conclude: https://www.ssllabs.com/ssltest/analyze.html?d=mathdown.net :-)
Main caveat: This site works only in browsers with SNI support.
Opening new issue(s) for redirects & HSTS followup.