josht ([personal profile] josht) wrote in [site community profile] dw_suggestions2011-09-03 06:58 pm
  • Add Memory
  • Share This Entry
Entry tags:

Support for HTTPS on all pages, including journal pages

Title:
Support for HTTPS on all pages, including journal pages

Area:
security, privacy, https,

Summary:
I'd like to have the option of using HTTPS to access all dreamwidth pages, including journal pages as well as pages on dreamwidth.org itself.

Description:
Inspired by the HTTPS Everywhere addon (https://www.eff.org/https-everywhere), I started looking through the sites I regularly visit to find which ones have HTTPS support. I frequently read journals on dreamwidth, but dreamwidth doesn't support https on journal pages; the certificate only works for www.dreamwidth.org. Also, visiting https://www.dreamwidth.org/ redirects to the login page rather than serving the front page securely; changing an http URL to https should serve the same content securely, rather than changing the content served.

Having HTTPS on all pages would secure acccounts against session-hijacking, a particular concern when on more insecure Internet connections, such as public wifi, or university or corporate networks. HTTPS would also improve privacy. The web needs more encrypted packets and less plaintext.

Poll #8378 Support for HTTPS on all pages, including journal pages
Open to: Registered Users, detailed results viewable to: All, participants: 37

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
25 (67.6%)

Should be implemented with changes. (please comment)
0 (0.0%)

Shouldn't be implemented.
0 (0.0%)

(I have no opinion)
12 (32.4%)

(Other: please comment)
0 (0.0%)

Flat | Top-Level Comments Only
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2011-10-26 09:41 pm (UTC)(link)
...Nevermind! I was sure this had been a duplicate, and I looked, and as always, as soon as I hit 'approve' I find the duplicate.

This is already in Bugzilla; it just hasn't been coded yet.

[personal profile] boundbooks 2011-10-26 10:10 pm (UTC)(link)
AWESOMENESS!!!!!!!!
pseudomonas: "pseudomonas" in London Underground roundel (Default)

[personal profile] pseudomonas 2011-10-26 10:42 pm (UTC)(link)
JOOI, is it possible if using HTTPS to use urls of the form https://www.dreamwidth.org/~pseudomonas rather than https://pseudomonas.dreamwidth.org ? This way an eavesdropper gains less information from the domain to which the request is being made (AIUI).
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2011-10-26 10:51 pm (UTC)(link)
*stares at your acronym* "just out of ..." nah, you got me.

It wouldn't be possible, no. Requiring subdomains is a security measure to prevent cookiejacking attempts from getting very far.
pseudomonas: "pseudomonas" in London Underground roundel (Default)

[personal profile] pseudomonas 2011-10-26 10:52 pm (UTC)(link)
"just out of interest"
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2011-10-26 10:58 pm (UTC)(link)
Aha! Thank you for clarifying for my poor acronym-laden brain :)
pseudomonas: "pseudomonas" in London Underground roundel (Default)

[personal profile] pseudomonas 2011-10-26 10:54 pm (UTC)(link)
oh, of course, sorry, I forgot that the subdomains were needed for that.
syderia: cyber wolf (geek)

[personal profile] syderia 2011-10-27 05:15 am (UTC)(link)
Slightly off topic : does DreamWidth support TLS1.1 and 1.2 ? Also, is SSL renegociation disabled on the servers ?
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2011-10-27 07:35 am (UTC)(link)
We use Pound for SSL termination. I don't know the answers to these questions, honestly, this is a part of the world of tech stuff that I'm not super familiar with.
Flat | Top-Level Comments Only