Added security while using Write.app
Posted by Write.app on 02/13/2013
As I remind everyone constantly, Write.app is all about privacy. So as the sole developer behind the project I take security seriously. I made sure to use 2048 bit SSL from day 1, encrypt user passwords, and make everything private by default. That said, I know there are still some weaknesses in the system but today we took another step toward even more security for users.
Today I enabled HSTS for the site. HSTS stands for HTTP Strict Transport Security and in plain English, what it does is tells your web browser not to access this site over anything but SSL (you know, "https"). Before today if you had simply typed "writeapp.me" into your address bar your browser would send you to http://writeapp.me as that's what a browser does by default since not all sites use SSL. From there Write.app would see you were trying to connect and seamlessly redirect you to https://writeapp.me. That's a standard and accepted solution for most sites that need to be secure but it wasn't enough for me. What if you were accessing the site over a public network someone could intercept your connection before you ever connected to Write.app and use an HTTPS stripping attack. In an HTTPS stripping attack there's a person between you and any site you're trying to connect to. They stop you from being redirected to the secure, HTTPS version of the website and intercept any data sent back and forth between you and the server. They do this by basically acting as if they were the site you were connecting to. So, for example, if you were trying to log into Write.app and there were someone performing an HTTPS stripping attack on you this is what would happen:
You type "www.writeapp.me" into your browser
The attacker intercepts the connection, then himself connects to the site, retrieves the data sent, and then sends it to you as if they were the site you're trying to reach.
You enter your username and password to log in
The attacker has stopped us from redirecting you to connect over SSL so now he has your username and password because, as we all know, data that isn't sent over HTTPS is unencrypted and viewable in plain text. He uses your username and password to log into the site and sends our response back to you as if he were us.
- At this point anything you enter is available to the attacker and there is no way to tell that this is happening. Or is there?
The only way to be sure you're on a secure connection is to look for the little green lock icon in your browser and the "https" in the URL.
But not to worry! Because we enabled HSTS today we can avoid that every happening to you. The first time you visit Write.app after we've enabled HSTS we send a message to your browser telling it to never allow anything except an HTTPS connection when connecting to our servers. From that point on, no matter what you enter into the URL bar (it can be www.writeapp.me or writeapp.me or http://writeapp.me) your browser will automatically change it to https://writeapp.me before you ever make a single request. This means that there are no more redirects to HTTPS and the chances of an HTTPS stripping attack are negligible.
Full disclosure: There is only one situation where you are still vulnerable to this sort of attack. That situation is the very first time you connect to this site after HSTS has been enabled. This is because we cannot tell your browser to only use SSL until after we've established an HTTPS connection. However the chances of that are very slim and this is unavoidable.
If you're reading this right now (and you see the green lock and/or 'https' in the URL bar) then you're protected and even more secure on Write.app than ever before.
Future security measures
In the future I'll be upgrading from encryption to password hashing using bcrypt and regularly patching the core Write.app code. I'm not done yet!