Forgot your password?
typodupeerror
Google Encryption Security IT

Google Extends SSL To Developer-Facing APIs 34

Posted by timothy
from the scramble-your-bits-please dept.
Orome1 writes "Firesheep's authors can be the satisfied with the gradual migration towards SSL that most of the biggest social networks, search engines, online shops and others have embarked upon since its advent. Google, which has already taken care of its users and encrypted its Web Search, Gmail and Google Docs, has now turned its attention to the APIs used by developers."
This discussion has been archived. No new comments can be posted.

Google Extends SSL To Developer-Facing APIs

Comments Filter:
  • by mirix (1649853)

    Encryption is like bacon. The more the better.

  • by seifried (12921) on Thursday March 17, 2011 @11:50PM (#35525972) Homepage

    Since we generally can't just shutdown access to port 80 yet (people would just get errors and confused and angry) there are two methods you can use to transition clients to HTTPS. Use HTTP Strict Transport Security which will address newer clients like Chrome, ideally they access your site securely the first time and you essentially tell them "from now on use HTTPS" for a specific amount of time (the longer the better):

    Header set Strict-Transport-Security "max-age=15552000"
    Header append Strict-Transport-Security includeSubDomains

    The second will address current clients, but will not prevent things like firesheep. However it will hopefully result in people bookmarking your site with HTTPS and so on (take the spaces out between the slashes):

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https: / / %{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

    This should also in theory cause any incoming links from sites that generate them dynamically (e.g. search engines) to take the permanent redirect and update their links (so if someone searches for you and clicks on the link it'll be an HTTPS link)

    • Re: (Score:3, Informative)

      by wunderbus (1545573)
      If you're using Java servlets, you can include the following in your web.xml:

      <!-- Redirects all http requests to https. Does not send cookies with the redirect. -->
      <security-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      <web-resource-collection>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      </security-constraint>

      <!-- Prevents the application from appending
  • by xophos (517934) on Friday March 18, 2011 @09:14AM (#35528712)

    Typing https://slashdot.org/ [slashdot.org] just brings you back to http://slashdot.org./ [slashdot.org.]
    Is it to hard to do, or does no one care here?

  • One of the long-standing shortcomings of App Engine was the lack of server certificate validation in the URL Fetch service. Google apparently took care of that [google.com] as well.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...