Do not use Cloudflare

[rugk]

Cloudflare basically offers TLS with MITM built in. More information here: https://scotthelme.co.uk/cloudflares-great-new-features-and-why-i-wont-use-them/

So it is not a good idea to use it for such security-related issues.

[Gaff]

It's a fair point.

The real reason why I use cloudflare is that it's the simplest way to apply https. If I didn't use cloudflare I'd use someone else (amazon aws, google cloud, etc) and you'd have to trust them instead. Even if I host it on my own hardware you still need to trust github, and no matter what you need to trust the site maintainer (me!).

Most people will be happy with the author -> github -> cloudflare chain, there are all top tier hosting providers who aren't going to risk their reputations to backdoor my site. If I cut out cloudflare you still have to trust github and myself. The more paranoid users won't be comfortable even with this.

I'm open to suggestions, but I don't see a huge win here. If you're paranoid you should check the CSP headers manually (see: https://github.com/Gaff/pgp.help/blob/master/README.md ), and if you're happy to give up some trust then https should be sufficient.

[rugk]

I think if you're paranoid you should host it by yourself. :smiley:

When accessing the GitHub page at https://gaff.github.io/pgp.help you can circumvent Cloudflare and you only have to trust GitHub (and possibly you :wink:). Of course you have to trust a few organisations, but it matters who and how many organisations you trust. You could put hundreds of companies in your connection and allow them to MITM the traffic, but the goal of HTTPS is to protect this information and not let someone MITM it.

But anyway as you can use GitHub pages there is a decent alternative. :smiley:

[Gaff]

Fair enough. I don't tend to advertise that link as the URL is ugly, but you're right it is one less MITM.

I should add it as a note in the README for those who are concerned about such details.

[rugk]

At least the ones who are really concerned may find this issue. :smiley:

[rugk]

Additionally what SSL mode in Cloudflare do you use? Some modes transmit the content of the website partially as plain-text.

[Gaff]

I'm using Full SSL, so it will only transmit SSL encoded data from github.

[rugk]

@Gaff commented on 19. Dez. 2015, 18:33 MEZ:

I'm using Full SSL, so it will only transmit SSL encoded data from github.

That's true, but with Full SSL Cloudflare does not check the cert at all. It even accepts self-signed certs and this basically allows active MITM attacks to tamper with the connection. So what about using at least "Full SSL (strict)"? https://scotthelme.co.uk/cloudflares-great-new-features-and-why-i-wont-use-them/#sslallthethings

[Gaff]

I should. I tried it and cloudflare didn't seem to accept the github SSL certificate :(.

Need to research some more...

[rugk]

Ah you serve it directly from GitHub? But https://gaff.github.io/pgp.help should be accepted...

[Gaff]

Exactly. Exactly.

Have sent cloudflare a mail, though I'm not paying them so I'm not sure I'll get a prompt response.

[rugk]

A good company should also offer support for not-paying customers, so I am interested in hearing their response.

[rugk]

So, some time has passed. Any news from Cloudflare?

[Gaff]

Alas no.

I guess nowadays the way to host this would be docker + letsencrypt, still means I need to deal with hosting (and any hosting nastyness) myself. Not 100% sure I want to open this can of worms :/. I would like to improve the security though.

[rugk]

Loading it from GitHub pages directly would still be a good idea for some users which do not want to use Cloudflare.

However currently https://gaff.github.io/pgp.help/ redirects to the Cloudflare home page and AFAIK it does also not show the favicon. A inline html tag would be required for this AFAIK. At least such a tag would be nice - for self-hosted installations where this is e.g. placed in a subdir or there is no global favicon. I can of course open a separate issue for this if you want.

[Gaff]

Or even better fix it for me ;)

My original intention was to serve this from github pages - sadly github have no support for https when you bring your own domain.

Really I should jump the hurdle and host it myself using lets-encrypt powered https on some cloud somewhere.

[rugk]

Hmm... could you at least remove the redirection from the official GitHub pages site to the custom domain? If that's possible.

[rugk]

BTW there are CDNs which have Let's Encrypt support and therefore allow you to use GitHub pages over HTTPS. E.g. this here.

[Gaff]

Oooh, that's pretty cool!

[Gaff]

Ok I had a go a kloudsec, but it didn't "just work". Alas DNS has horridly non-deterministic propagation times so it could be that I just didn't wait long enough, but I didn't want to leave the site down. Have moved a lesser site of mine to kloudsec. If that works I'll give it another go.

[Gaff]

Hmm, ok looks like it does work - I just needed to give it longer. However from a security perspective I'm not sure this achieves much. Sure the SSL certificate is signed by lets encrypt not cloudflare - but apart from that it's the same, complete with the same implicit MITM trust problem. Seems to be simply a question of who do you trust more? Cloudflare or Kloudsec?

[rugk]

Yeah, but it might made a difference when passing the request from GitHub Pages to the CDN provider. As with Cloudflare you could not use "Full SSL (Strict)"... But I have no idea how Kloudsec handles this...

[rugk]

FYI GitHub now forces HTTPS for fifth pages. You only have to click on a switch: https://help.github.com/articles/securing-your-github-pages-site-with-https/

[Gaff]

Tried that - doesn't work with custom domains / CNAMEs :(

Shame as that would be pretty neat. I'm even considering moving to pgphelp.github.io (wouldn't be the first project to live at github). Wdyt?

[rugk]

I'm even considering moving to pgphelp.github.io (wouldn't be the first project to live at github). Wdyt?

Yeah, that's the easiest solution and I think it is a good decision.

[Gaff]

It's not so black-and-white, github doesn't support HSTS for example.

[rugk]

But they seem to deploy it:

Heyyyyy, GitHub Pages now sets HSTS for new github.io sites! https://t.co/He3PNJKTVw

https://twitter.com/konklone/status/743172058289430528

[Gaff]

Wow looks like it is indeed configured that way but only for new users (or perhaps new github pages). How do you find out this stuff?!

That means I could safely move to: pgphelp.github.io (or equivalent? Suggestions? Sadly pgp.github.io is taken)

I think I'm broadly in favour. Essentially it's one less person to trust at the cost of a slightly uglier URL. I can still maintain pgp.help as a landing page. Any further thoughts?

---

A question for your excellent search skills - A few months ago I saw a site that would grade your websites HTTPS usage (for things like HSTS, HPKP, CSP etc. But I can't find it again :/ If you do locate anything please let me know!

[rugk]

How do you find out this stuff?!

I already linked to my sources. :smiley:

That means I could safely move to: pgphelp.github.io (or equivalent? Suggestions?

I think so, yes.

Sadly pgp.github.io is taken)

Yeah, not really surprising though...

Essentially it's one less person to trust at the cost of a slightly uglier URL. I can still maintain pgp.help as a landing page.

Yes and yes.

Any further thoughts?

No. :smiley:

A question for your excellent search skills

:sunglasses:

saw a site that would grade your websites HTTPS usage (for things like HSTS, HPKP, CSP etc.

No need to search. I know this website. I think you mean this: https://securityheaders.io/

BTW: CSP has nothing to do with HTTPS. :smiley: But it's a very good feature anyway. Basically the site is about testing (and grading) your Security Headers usage, which of course includes some headers related to HTTPS. As for HTTPS there are many more other analysis sites, but these tests are only useful when you run your own server (and do not serve it via GitHub Pages as you cannot influence their cipher selection e.g.).

[Gaff]

I think you mean this: https://securityheaders.io/

You sir are a genius!

So neither cloudflare nore github to particularly well at this metric, but cloudflare is marginally better:

https://securityheaders.io/?q=https%3A%2F%2Fpgp.help%2F https://securityheaders.io/?q=https%3A%2F%2Fgaff-hsts.github.io

Does this matter? Probably not.

[Gaff]

...taken the first steps - see https://pgphelp.github.io . It's not working yet but you can inspect it for https-correctness at least.

One obvious downside - since the website has a new home, you need to copy over all your settings. Bleh.

Might keep both alive?

[rugk]

Does this matter? Probably not.

Yeah, that's just one simple header which affects only some browsers, so it does hardly matter. What's much more important is your CSP - but this is independent of the hoster as you declare it in the HTML code.

It's not working yet

Everything works for me...

but you can inspect it for https-correctness at least.

Well... it's the default for GitHub pages, which is okay. You cannot do anything about it anyway.

One obvious downside - since the website has a new home, you need to copy over all your settings. Bleh.

Mhh, yeah... When you'll move you might see how much complains you get. Maybe clarify this fact on the old page and let some time pass untl you shut down the old URL. (Or add an import/export feature :wink: )

[Gaff]

Everything works for me...

Cool - I mean the page still refers to the old URL in a few places. But yeah think I nailed the technical bugs (all due to npm craziness - turns out if you rebuild you automagically pull in newer not-necessarily-compatible packages. Not fun).

I'm slightly troubled since I'm sure one day github will support https + external domains. But will that be in 3 months or 3 years? Who knows.

My upgrade plan is to have pgp.help show a landing page with a link to the new and archive version. pgphelp.github.io will go straight to the pgp page as it is.

Sadly one of the downsides of my extremely strict security policy is that I can't install any tracking / analytics packages - so I've no idea how many users I actually have :). Probably not many.

[rugk]

Probably not many.

Yeah, based on the stats in this repo (starts, issues opened, ...) I alos assume so.

Sadly one of the downsides of my extremely strict security policy is that I can't install any tracking / analytics packages

Yeah, but at least this repo is constantly tracked by GitHub. As the repo owner you can see some stats for it somewhere under https://github.com/Gaff/pgp.help/graphs/ AFAIK.

[rugk]

A new testing site similar to SecurityHeaders.io is also this one: https://mozilla.github.io/http-observatory-website/

[rugk]

BTW there was also a blog post about the move to HTTPS: https://github.com/blog/2186-https-for-github-pages

[rugk]

Any news about the switch to the new site?

[Gaff]

Well it works. I need to formalise things. Keep on badgering me about it and I'll get it done :/

[rugk]

New year, new try?

[rugk]

How is it going?

[rugk]

Finally GitHub provides HTTPS for custom domains: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

So this may be the best solution for you.😊

[Gaff]

Thanks!

I'll try and take a look this weekend.

On Tue, 1 May 2018, 20:02 rugk, notifications@github.com wrote:

Finally GitHub provides HTTPS for custom domains: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

So this may be the best solution for you.😊

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Gaff/pgp.help/issues/26#issuecomment-385758593, or mute the thread https://github.com/notifications/unsubscribe-auth/AAN1aWXt_loQeLDLLLUNrMdAlaxwmS7gks5tuLFTgaJpZM4G1-oS .

[Gaff]

So I'm going to try this - however it might take the site down if I screw up. Unfortunately because of DNS propagation delays it might take a day to figure out. :(

Wish me luck!

[Gaff]

Ok - it seems to have worked. I did blow out my HSTS settings in my browser at one point, but have checked on other browsers and it seems ok. However it /may/ take a day for the DNS settings to propagate to your ISP.

@rugk - Let me know it looks for you, and if it looks good I'll close this ticket!

[rugk]

Works for me.