Comments on: Call for stronger webappsec – enable HTTPS by default http://www.mikeandrews.com/2009/06/16/call-for-stronger-webappsec-enable-https-by-default/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Mike http://www.mikeandrews.com/2009/06/16/call-for-stronger-webappsec-enable-https-by-default/comment-page-1/#comment-449 Mike Wed, 17 Jun 2009 18:58:48 +0000 http://www.mikeandrews.com/2009/06/16/call-for-stronger-webappsec-enable-https-by-default/#comment-449 Agreed - it's not as big a deal for Google, as they host their own ads/content/etc, and as you pointed out there's many places in the chain that ads could be injected (even more reason to have the SSL endpoint as close to the perimeter as possible - SSL concentrators are idea for that). However, there still has to be some thought behind it or you get those "mixed content" warnings. If you are injecting/loading at a different point in the chain or cross-domain, HTTPS becomes a major headache to do this injection seamlessly. SECURE attributes on cookies can only work when the whole app works on HTTPS - if not then the cookies marked with SECURE don't get sent and that breaks things. HTTPOnly on the other hand is a no-brainer to add but it's a different issue. I *still* see very few sites using either of these settings though. Agreed – it’s not as big a deal for Google, as they host their own ads/content/etc, and as you pointed out there’s many places in the chain that ads could be injected (even more reason to have the SSL endpoint as close to the perimeter as possible – SSL concentrators are idea for that). However, there still has to be some thought behind it or you get those “mixed content” warnings. If you are injecting/loading at a different point in the chain or cross-domain, HTTPS becomes a major headache to do this injection seamlessly.

SECURE attributes on cookies can only work when the whole app works on HTTPS – if not then the cookies marked with SECURE don’t get sent and that breaks things. HTTPOnly on the other hand is a no-brainer to add but it’s a different issue. I *still* see very few sites using either of these settings though.

]]> By: radi http://www.mikeandrews.com/2009/06/16/call-for-stronger-webappsec-enable-https-by-default/comment-page-1/#comment-448 radi Wed, 17 Jun 2009 12:01:55 +0000 http://www.mikeandrews.com/2009/06/16/call-for-stronger-webappsec-enable-https-by-default/#comment-448 hi Mike, I wouldn't think ad-injections should be that big of a concern for Google for 2 reasons: - ads can always be embedded in the actual applications. the only bit of difference is that the ad servers need to support HTTPS as well. if those servers are part of the google.com domain, all the more reasons why this shouldn't be a problem for Google. - if Google uses proxies for load balancing when serving content, they can always do ad injections one step before the traffic goes encrypted through the Internet. the next steps for Google will be to start marking their cookies as "Secure" and possibly "HTTPOnly" :) my 2c radi hi Mike,

I wouldn’t think ad-injections should be that big of a concern for Google for 2 reasons:
– ads can always be embedded in the actual applications. the only bit of difference is that the ad servers need to support HTTPS as well. if those servers are part of the google.com domain, all the more reasons why this shouldn’t be a problem for Google.
– if Google uses proxies for load balancing when serving content, they can always do ad injections one step before the traffic goes encrypted through the Internet.

the next steps for Google will be to start marking their cookies as “Secure” and possibly “HTTPOnly” :)

my 2c

radi

]]>