Friday, March 25, 2016

Implementing https on Blogger using Cloudflare


Google is busy, as stated on Google I/O 2014, with updating all its web-services to support https connection, instead of http. Connections based on https are likely more secure than http. I say likely, because using https and using https good can be a difference like Earth and Mars. But, Google will likely implement it thoroughly tested. This movement is called #HTTPSeverywhere.


First steps to bit more https

The reason I post this blog is because Google has updated its Blogger service a while ago. On September the 30th of 2015, Google announced in a blogpost that it has implemented support for https. There is one caveat though, it only supports default domains, such as teusink.blogspot.com. When you have a full-domain (or custom domain) enabled, like www.teusink.eu, https support is not yet implemented.

As a Security Professional I was, and still am, a bit disappointed to say the least. I even would want to pay a small fee for https support. Google promised to bring https support somewhere in the future though.

But that did not keep me waiting to change something in this blog of mine. I have checked the template, and every post and every page for any reference to any resource and any URL I linked to and changed it to https wherever possible. I can say that all resources (like images, scripts, and such) have changed to https. Some weblinks I reference to could not be changed though, but that has nothing to do with the technicality (and security) of this blog.

So when support is finally coming I can flip the switch easily and the blog would (or should...) work without any security errors. In the meantime, all scripts are executed from trusted sources, so my blog is a bit safer now than it was before.

Using Cloudflare for more https

Luckily you can do more concerning the implementation of https on your blog. And no, Google still does not support full https for blogs on blogger using a custom domain-name. But there is a work-around to that and you need Cloudflare (or a similar service) to do that.

I started using Cloudflare (the free account to be precise) a month ago to improve the security of my blog, but also to better the privacy of my visitors. With using Cloudflare in front of my blog I can enforce encryption and enable threat protection. In the cases where there is a doubt on the maliciousness of the visitor, Cloudflare will present a captcha which will, upon entering the right value, grant access.

In the steps below I'll highlight what needs to be done to get this working.

Implementing Cloudflare

Step 1: Sign-up, add domain and configure DNS

  • Sign-up for a free account at Cloudflare.
  • Add your domain to Cloudflare.
  • Change the DNS of your domain to the ones of Cloudflare. You might need to ask your provider or registrar to do that.
  • The rest is done automatically.
You might want to enable DNSSEC, but it requires some more configuration at your registrar.

Step 2: Configure Crypto

  • Set SSL to Flexible
  • Set Authenticated Origin Pulls to On.
  • Set Opportunistic Encryption to On.
  • Set TLS 1.3 to On.
  • Set Automatic HTTPS Rewrites to On.
The https rewrites are important to redirect all requests from http:// to https://. When Blogger starts to support full TLS support for custom domain-names, you could enable HSTS using a free Origin Certificate.

Step 3: Configure Firewall

  • Set Security Level to High.
  • Set Challenge Passage to 1 day.
  • In Web Application Firewall, set Browser Integrity Check to On.
  • In IP Firewall, white-list the IP-addresses of Google Blogger.

Step 4: Configure Speed

  • Set Auto Minify enabled on JavaScript, CSS and HTML.
  • Set Rocket Loader to Off.

Step 5: Configure Caching

  • Set Caching Level to Standard.
  • Set Browser Cache Expiration to 4 hours.
  • Set Always Online to On.
When not developing, leave Development Mode at Off.

Step 6: Configure Page Rules

  • Add a page rule to Always Use HTTPS for http://*.yourdomain.tld/* and set it to On.
This not to only redirect http traffic to https, but also to enforce it.

Step 7: Configure Network

  • Set IPv6 Compatibility to On.
  • Set WebSockets to On.
  • Set Psuedo IPv4 to Off.
  • Set IP Geolocation to On.
IP Geolocation might be needed for proper analytics (such as Google Analytics) of your blog. If you want to use Google Analytics you need to configure the app within Cloudflare for that.

Step 8: Configure Scrape Shield

  • Set Email Address Obfuscation to On.
  • Set Server-side Excludes to On.
  • Set Hotlink Protection to Off.
You might want to configure some different settings here (especially when you are hosting images that you don't want to be hotlinked).

Some considerations

There are a two things you will need to considerate.
  • Update your template, code and scripts: It is likely possible that you will need to update the template and all your posts. It is possible that content is being loaded through embedded code or scripts through a insecure channel (http) instead of a secure one (https) and this will result in an error (http is ignored on https websites) in the browser. Therefore, test every page and post of your blog for such errors.
  • There is still no end-to-end encryption: Keep in mind that there is still no end-to-end encryption. All the traffic from the browser to Cloudflare is encrypted. Cloudflare gets the resources from Blogger and sends it to the browser. That way, for instance, the Internet Service Provider does not know which pages on the blog you are visiting.

My results so far on my move to Cloudflare

  • 2,257 unique visitors with 21,855 requests in total.
  • 62% of the traffic was served over SSL.
  • 197 threats stopped:
    • 151 originated from Ukraine.
    • 30 originated from France.
    • 12 originated from United States of America.
    • 4 originated from Israel.

Conclusion

Although full https is the best way to protect your website, the maximum has been done now concerning hosting a blog on blogger with a custom domain-name. All traffic between the visitor and Cloudflare is encrypted. And only Cloudflare requests http request at my blog. This way the privacy is better protected, and due to firewalling the security of the blog is better protected.

And last but not least, it also reduced spam comments on my blog also which became quite a nuisance!