Friday, March 25, 2016

Implementing https on Blogger using Cloudflare


Google is busy, as stated on Google I/O 2014, with updating all its web-services to support https connection, instead of http. Connections based on https are likely more secure than http. I say likely, because using https and using https good can be a difference like Earth and Mars. But, Google will likely implement it thoroughly tested. This movement is called #HTTPSeverywhere.

Update April, 3rd 2018: As of 2018, Google supports full https for custom domain blogs in blogger! This has impact on some settings in Cloudflare though. See clarification further down below.


First steps to bit more https

The reason I post this blog is because Google has updated its Blogger service a while ago. On September the 30th of 2015, Google announced in a blogpost that it has implemented support for https. There is one caveat though, it only supports default domains, such as teusink.blogspot.com. When you have a full-domain (or custom domain) enabled, like www.teusink.eu, https support is not yet implemented.

As a Security Professional I was, and still am, a bit disappointed to say the least. I even would want to pay a small fee for https support. Google promised to bring https support somewhere in the future though.

But that did not keep me waiting to change something in this blog of mine. I have checked the template, and every post and every page for any reference to any resource and any URL I linked to and changed it to https wherever possible. I can say that all resources (like images, scripts, and such) have changed to https. Some weblinks I reference to could not be changed though, but that has nothing to do with the technicality (and security) of this blog.

So when support is finally coming I can flip the switch easily and the blog would (or should...) work without any security errors. In the meantime, all scripts are executed from trusted sources, so my blog is a bit safer now than it was before.

Using Cloudflare for more https

Luckily you can do more concerning the implementation of https on your blog. And no, Google still does not support full https for blogs on blogger using a custom domain-name. But there is a work-around to that and you need Cloudflare (or a similar service) to do that.

I started using Cloudflare (the free account to be precise) a month ago to improve the security of my blog, but also to better the privacy of my visitors. With using Cloudflare in front of my blog I can enforce encryption and enable threat protection. In the cases where there is a doubt on the maliciousness of the visitor, Cloudflare will present a captcha which will, upon entering the right value, grant access.

In the steps below I'll highlight what needs to be done to get this working.

Implementing Cloudflare

Step 1a: Sign-up, add domain and configure DNS

  • Sign-up for a free account at Cloudflare.
  • Add your domain to Cloudflare.
  • Change the DNS of your domain to the ones of Cloudflare. You might need to ask your provider or registrar to do that.
  • The rest is done automatically.
You might want to enable DNSSEC, but it requires some more configuration at your registrar.

Step 1b: Add the following CAA DNS-records into your DNS

  • issue “comodoca.com”
  • issue “digicert.com”
  • issue “globalsign.com”
  • issuewild “comodoca.com”
  • issuewild “digicert.com”
  • issuewild “globalsign.com”

Step 2: Configure Crypto

  • Set SSL to Flexible
    • This will not work for full https sites. Either Full or Full (Strict) have to be used then.
  • Set Authenticated Origin Pulls to On.
  • Set Opportunistic Encryption to On.
  • Set TLS 1.3 to On.
  • Set Always use HTTPS to On.
    • This makes sure that, in my case, http://www.teusink.eu is rerouted to https://www.teusink.eu
  • Set Automatic HTTPS Rewrites to On.
    • The https rewrites (always use https) are important to redirect resource requests in your code from http:// to https://. This is to prevent Mixed-Content security errors.
  • Enable HTTP Strict Transport Security (HSTS).
    • I choose a Max-Age of 6 months and I did include subdomains.
    • Warning, this breaks future sites on your domain that do not utilize https!
  • Set Require Modern TLS to On.
    • No reason to support TLS1.0 and TLS1.1.

Step 3: Configure Firewall

  • Set Security Level to High.
  • Set Challenge Passage to 1 day.
  • In Web Application Firewall, set Browser Integrity Check to On.
  • In IP Firewall, white-list the IP-addresses of Google Blogger.

Step 4: Configure Speed

  • Set Auto Minify enabled on JavaScript, CSS and HTML.
  • Set Rocket Loader to Off.

Step 5: Configure Caching

  • Set Caching Level to Standard.
  • Set Browser Cache Expiration to 4 hours.
  • Set Always Online to On.
When not developing, leave Development Mode at Off.

Step 6: Configure Network

  • Set IPv6 Compatibility to On.
  • Set WebSockets to On.
  • Set Psuedo IPv4 to Off.
  • Set IP Geolocation to On.
IP Geolocation might be needed for proper analytics (such as Google Analytics) of your blog. If you want to use Google Analytics you need to configure the app within Cloudflare for that.

Step 7: Configure Scrape Shield

  • Set Email Address Obfuscation to On.
  • Set Server-side Excludes to On.
  • Set Hotlink Protection to Off.
You might want to configure some different settings here (especially when you are hosting images that you don't want to be hotlinked).

Update April, 3rd 2018

When enabling full https support (for either custom domains or non-custom domains), make sure that you do the following:

Step 1: Add the following CAA DNS-record to your DNS

  • issue “letsencrypt.org”
  • issuewild “letsencrypt.org"

Step 2: Disable Cloudflare features

  • Disable SSL (set from Flexible to Off)
  • Set domain in DNS to DNS only (and not Cloudflare protected)

Step 2: Enabling https on Blogger

  • Enable https in Blogger, and wait for it to be activated
  • Enable https redirect in Blogger
  • Test your site and make sure it works without Cloudflare being enabled.

Step 3: Re-enable features in Cloudflare

  • Set SSL to Full (strict)
    • Warning, Flexible will make your blog -not- work because it only works for non-https sites.
  • Set domain in DNS to Cloudflare protected
By then, it should work.

Some considerations

There are a two things you will need to considerate.
  • Update your template, code and scripts: It is likely possible that you will need to update the template and all your posts. It is possible that content is being loaded through embedded code or scripts through a insecure channel (http) instead of a secure one (https) and this will result in an error (http is ignored on https websites) in the browser. Therefore, test every page and post of your blog for such errors.
  • There is still no end-to-end encryption: Keep in mind that there is still no end-to-end encryption. All the traffic from the browser to Cloudflare is encrypted. Cloudflare gets the resources from Blogger and sends it to the browser. That way, for instance, the Internet Service Provider does not know which pages on the blog you are visiting.
    • Note: This will not be applicable when enabling full https in Blogger.

My results so far on my move to Cloudflare

  • 2,257 unique visitors with 21,855 requests in total.
  • 62% of the traffic was served over SSL.
  • 197 threats stopped:
    • 151 originated from Ukraine.
    • 30 originated from France.
    • 12 originated from United States of America.
    • 4 originated from Israel.

Conclusion

Although full https is the best way to protect your website, the maximum has been done now concerning hosting a blog on blogger with a custom domain-name. All traffic between the visitor and Cloudflare is encrypted. And only Cloudflare requests http request at my blog. This way the privacy is better protected, and due to firewalling the security of the blog is better protected.

And last but not least, it also reduced spam comments on my blog also which became quite a nuisance!
Share:  

0 comments:

Post a Comment