Comparison of furry website HTTPS configurations
Security is necessary for one's own protection, both offline (to protect one's physical safety and possessions) and online (protecting identity, money and, as the our digital and real lives become more integrated, even physical possessions). Our own behaviours and security systems need to work together to be effective. It's no good having the latest burglar alarm, strong locks on your doors and a security gate if one leaves the door wide open. Similarly, it's great to lock the door each time one goes out - but if that door is secured solely by a latch, it won't be effective. As I've given some basic guidelines on how to stay safe online, I'm now comparing how furry sites are helping their users stay safe.
Update (Jan 28): All Weasyl servers now receive an A grade, however the server configuration is still not consistent.
One basic way of increasing security online is for websites to use HTTP Secure (HTTPS). This has two main functions. First it makes sure that one is connected to the intended website, preventing “man-in-the-middle” attacks, and, secondly, it encrypts data between end-points, preventing eavesdropping. This is essential for email and banking sites, but it's a good policy for all websites. Many furry sites use or have an HTTPS version available. HTTPS is not the only way of securing a website, and does not solve all problems, but it is a good first step.
I used the Qualys SSL Server Test, to test the SSL implementations of a variety of furry and furry-related websites. Qualys is a US-based provider of cloud security, compliance and related services. As a publicly available tool, anyone can confirm or expand on the results.
The results are shown in decreasing score, sorted by grade, whether HTTPS is forced and then by total score.
|Site||Address||Force HTTPS||Certificate||Protocol Support||Key Exchange||Cipher Strength||Grade|
For sites returning multiple servers the first entry was taken as representative if all received the same score. If different servers (different IP addresses) received different scores then the lowest score was taken. Weasyl and DeviantArt both return an “inconsistent server configuration” error with the lowest score shown above; for both of them the other servers receive an A rating. To test if HTTPS was forced, the HTTPS portion of the URL was replaced with HTTP and the new URL was entered in Chromium 39. If the site redirected the browser to the HTTPS version it was considered enforced.
At first it looks odd that Inkbunny receives an A+ grade while achieving scores equal to or slightly lower than other sites. While Inkbunny would've normally received an A grade, its score was increased A+ due to supporting “HTTP Strict Transport Security with long duration.” This protects communication with Inkbunny by ensuring that server and user communicate through a secure connection, resisting attempts to force the use of insecure connections.
Inkbunny, F-list and DeviantArt all use SHA-256 with RSA to sign their certificates. Other sites tested use the weaker SHA-1 with RSA. As SHA-1 support is intended to be discontinued in 2016, these sites will need to update their configuration to the new standard. In fact, sites with long-lasting certificates using SHA-1 may be shown as partially insecure on current browsers, as Google states:
That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface. [example at left]
Inkbunny also provides forward secrecy for all tested clients except for outdated software configurations (IE6 on XP, which fails the handshake completely, and IE8). Forward secrecy means that even if someone gains access to the server's private key, they will not be able to decrypt previous communications between the user and server. Weasyl gives almost the same results on those tests, but also fails the IE8 handshake. Other sites do not offer forward secrecy for as many configurations and many fail handshakes with multiple configurations.
DeviantArt was capped at a B grade for accepting the once-widely-used RC4 cipher, which has known vulnerabilities. There were no other major problems detected for DeviantArt; if it didn't accept RC4, it would've received an A grade.
F-List received an A grade, but only works in browsers with SNI support. For the most part that will only affect users on outdated systems, for example using Windows XP, IE6 or lower, or the Android 2.x browser.
Weasyl suffers greatly in this test due to just one server with a different configuration to the others. The server in question is vulnerable to OpenSSL CCS vulnerability (CVE-2014-0224), resulting in the score being capped at an F rating. This result is unusual as the Weasyl server settings were otherwise good. Despite using SHA-1, Weasyl enforces HTTPS connections and supports HTTP Strict Transport Security on some of its servers. In addition, this deviation was not present a few weeks ago.
It's pleasing to see that many furry sites offer good security options, with many doing better than their more-professional competitor, DeviantArt. Inkbunny offers the highest security out of the tested sites due to extra security features, a superior signature algorithm and enforcing HTTPS connections. It is unfortunate that many of the sites do not enforce HTTPS connections when they have the opportunity, going against the recommended best practices. Fur Affinity generally uses an insecure connection with the exception of the login page.
Another security flaw on some furry sites is the failure to secure the entirety of a webpage. When fragments of a page, such as images, are insecure, it undermines the whole system - attacks can often be launched through those elements to compromise the secure channels. While Flayrah is generally secure, the front page contains unencrypted elements, as do SoFurry user pages which embed external images (example).
At other times sites have taken actions which do not seem to have considered user security. For example, in a recent DDoS attack, SoFurry disabled HTTPS (see here and here). While this had the positive effect of keeping the site up and functioning, it also meant disabling security when it might most be needed. An attacker could take advantage of this vulnerability to subject SoFurry users to a more serious attack.
When asked about this, SoFurry administrator Toumal maintained that the possibility was small:
So I made the call to just support http during these attacks. Because everything else would not have been practical. It doesn't mean "disabling security", it means that encryption was not available. Encryption does not equal security. So yes, while someone might use a DDoS to force us to drop encryption, that's kind of a far fetched scenario. They can just use sslstrip or other attacks, or go for the endpoint itself (i.e. the user's computer) - which in most cases is a MUCH easier target
However he did say he could tell users to consider the implications of using a plain HTTP connection during an attack and did do so during a subsequent DDoS. This is now largely irrelevant as, since Saturday, SoFurry has been reconfigured to enforce HTTPS across the whole site.
HTTPS is enforced for six of the sites tested. However, major sites such as Fur Affinity and DeviantArt do not do this. How can users enable encryption? In some cases, you can manually enter the 'https:' (or change your bookmark to it). If the site is appropriately configured, all navigation will remain in the secure version once you've connected to it. This won't happen if you click on an HTTP link while browsing, though; and DeviantArt will switch you back straight away. Plus, some sites may still use HTTP behind the scenes.
A better option is to install the Electronic Frontier Foundation's (EFF) HTTPS Everywhere – a browser extension that automatically converts URLs to a secure version according to a set of rules. Although it does not support the above sites by default, the HTTPS Everywhere Atlas has rules for the above sites that do not enforce HTTPS connections. There is partial support for Fur Affinity but, currently, the DeviantArt ruleset is disabled with the note, “site operator says not ready yet.”
There are notes of caution regarding these results. HTTPS does not provide perfect security; for some attacks it doesn't provide any protection. It is one small aspect of online security, and care should be taken not to give the results more meaning than they deserve.
In addition, due to the rapidly changing nature of the internet, these results are only valid at the time the tests were performed. Between the first test and the final version, many sites made changes and scores have, in some cases, changed dramatically. Originally SoFurry received a C grade, although that was dealt with in minutes when the results were brought up with Toumal; it only recently began forcing HTTPS connections. F-list increased its score from a B to an A during the writing of this article, while Weasyl dropped from an A to an F due to poor configuration of a single server. An attempt was made to contact the Weasyl administration, but no reply had been received by the time this article was submitted.
The large-scale DDoS attack that hit many furry sites a few months ago and the chlorine attack at MFF should have made furs more aware of the need for awareness and security. While not addressing either incident specifically, HTTPS is a basic security step (see the Chromium project's proposal to mark HTTP sites as insecure) that's available to the major furry sites. Inkbunny, SoFurry and Weasyl now all force secure connections, while Fur Affinity and DeviantArt do not.
The results and linked best practice guidelines here will hopefully serve to motivate and guide site owners in improving their security. For most, the step is to enforce HTTPS for all communication with the site; for some, more drastic changes are necessary to offer a secure experience.
Flayrah, WikiFur and Inkbunny are led by GreenReaper.