Jump to content

Fuwanovel.net security concerns


Recommended Posts

It's been bothering me that Fuwanovel uses HTTP for the main website and all subdomains (including these forums) and immediately downgrades all secure connections to HTTP via a redirect (301). This is concerning because all requests such as logins, sending session cookies etc. are transmitted in plaintext, making it trivial for a man-in-the-middle attack to steal user credentials (and users tend to re-use those on multiple sites even though they should know better) or hijack sessions, they can read all messages and intercept or modify them at will, including sending the user to their own site while making it appear as fuwa (there are also many other good reasons to switch everything to HTTPS , but these are currently the most pressing issues).
To prevent this, HTTPS should be enabled everywhere and should be enforced by enabling HSTS to avoid attacks such as those of sslstrip.

(ignore the next paragraph if you already how to fix this issue and just haven't come around to do so yet - though at least the first part shouldn't take very long at all and the second isn't too bad either)
One possible solution: Since Fuwanovel already uses Cloudflare, you can fix part of the connection very easily: Go to Cloudflare -> Crypto, set SSL to Flexible (should already be that way, really we want Full (strict), but that might involve more steps on your part, see below), and enable HSTS on all subdomains (hard to go back on, but you shouldn't ever want to go back on it anyways), you also might want to redirect everything to HTTPS one way or another. This fixes the issue for the connection between users and Cloudflare, however the connection between Cloudflare and your servers is still insecure, so make sure your web servers support HTTPS (might involve some tweaking of configurations or proxying in the worst case if your web server doesn't support it) and you have a valid certificate set up (certificates from Let's Encrypt are free and easily automatable, don't see a reason not to use them), then set the Cloudflare SSL setting to Full (strict). Now the connections between Cloudflare and your servers are secure as well. (You could optionally set up Authenticated Origin Pulls to make sure you're only responding to traffic coming through Cloudflare.)

Link to comment
Share on other sites

2 minutes ago, Narcosis said:

It's better to not reveal such information publicly at all; you're giving people ideas. Send a PM to @Tay or @Nayleen instead.

Was going to do that initially, but after double-checking the contact pages, this seemed to be the designated place for such reports and posted here instead.
Concerning responsible disclosure: I feel like anyone who's able to pull off a MITM attack will already have recognized that all connections to Fuwanovel are unencrypted just by looking at their browser's address bar or more likely have a program that filters all unencrypted connections automatically, so me stating that the connections are insecure doesn't really change the risk of an attack.

Link to comment
Share on other sites

Most (if not all) pages on the main blog, as well as all content served by the forums should now be delivered through HTTPS.

moon.fuwanovel.net is updated yet, simply because I don't know how to. @Tay pls fix.

Also toggled a forums setting that user-embedded images should be served from the site instead, let's see how that one affects the site's performance.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...