Free online Chess server. Play Chess now in a clean interface. No registration, no ads, no plugin required. Play Chess with the computer, friends or random opponents.
Sign in
Reconnecting

Are there any plans to support SSLv3/TLSv1+ (i.e. HTTPS) connections to lichess.org and its subdomains in the future?

Asked by Hasimir
Tags security SSL TLS account reputation
Activity Viewed 29551 times, last updated
9
The case for TLSv1 or greater (with basic recommendations):

Though the site does not include any kind of financial function, it does provide a form of reputation to those users who have elected to identify themselves in some way. In particular those players ranked fairly highly (i.e. 2000 and over).

There has also been at least one report[1] in the forums of behaviour indicating an account was compromised, leading to games played with the intent of reducint that player's rating. Similar action against more prominent players aimed at having them declared to be cheaters have the potential to cause a great deal of trouble to those players, especially where chess is their livelihood. An important step in preventing this is providing a secure means of logging into the server and not requiring authentication data to be transmitted in clear text.

The best solution would almost certainly be one or two SSL certificates which support wildcard entries for subdomains. Ideally you want one which is already included with all the popular browsers in order minimise the need for end user intervention. Avoiding the use of self-signed certificates is wise for the same reasons.

Even without necessarily having the correct web socket support for the Scala/Play framework, it should still be possible to maintain secure connections to the web servers (front-end processors), even if the internal lichess networking drops that within the lichess network. This should be enough to prevent attacks aimed at compromising the accounts of prominent players or administrators and with alternatives[2] for maintaining security within the lichess network or between servers.

This issue has cropped up from time to time, but with no apparent resolution. Workarounds do exist, at least to the extent of providing certain protections to user accounts. Even if it was not good enough for, for example, full PCI-DSS compliance.

There are also presently a number of major updates on the verge of release or which have just been released. Is SSLv3/TLSv1+ one of those due for an imminent release and, if not, will it be considered for deployment in the next release? Any information regarding a timeframe for the future deployment of SSLv3/TLSv1 would be appreciated.


1. http://en.lichess.org/forum/general-chess-discussion/bughack
2. A VPN would be ideal here since the lila API and other functions don't need to do anything, it's just a function of internal routing.
Hasimir commented :
Another option, as discussed on #lichess on Freenode earlier, would be to use HTTPS for initial authentication and account management, but use OAuth2 for other functions. Really, though, that would depend on whether TLS added too much overhead to be able to play bullet games without trouble. The real problem is still the cost of the snake oil ... I mean the certificate authorising the TLS keys.
quicksilversly commented :
I think using HTTPS should be added without question! People are entering usernames and passwords. If you don't add HTTPS make sure that when people are signing up that they know they are entering the usernames and passwords over an insecure connection. People could be potentially using their email usernames/passwords
brandolon commented :
Yes, I think that if the site is not going to implement HTTPS, that should be clearly advertised during the sign-up process. E.g. "This site is not served over SSL. You should use a unique password for this account."
4 Answers
10
Answered by thibault
[EDIT] Lichess now uses HTTPS! [/EDIT]


Thanks for the well formulated and informed question.

First, I'd like to point out that no security issue related to the HTTP protocol has been observed yet. The example you mentioned is unrelated; it was a site-level exploit of a bug in lichess. I fixed it quickly.

HTTPS is a good thing. However, here are the reasons why lichess is sticking to HTTP:

- Moving to HTTPS requires some work from me. Code, and System Administration. Time is scarce, and my task queue is full.
- Proper certificates are expensive (how much?). Cheap certificates require the user to accept things they don't understand from a browser scary red dialog.
- The CDN (cloudflare) is free for HTTP. Moving to HTTPS would cost $20 per month.
- All resources of a HTTPS page must use SSL too. That probably includes websockets.
Hasimir commented :
Yeah, all of those are good points (especially the first one). The CA/snake oil issue is a major problem and even with cheaper providers (e.g. StartSSL), it stops being cheap when wildcard certificates are used. I use CloudFlare too, so I get where you're coming from there. I haven't double-checked the websockets thing, but I think you're right.

This does lead to a slight adjustment of POV (along the lines of a work around), but do you want that added below or raised as a new question? Or I could just go straight to email ...
thibault commented :
Feel free to email me, your ideas matter. Or even better, have a chat with me in #lichess IRC channel.
Mawk commented :
Now cloudflare has free HTTPS protection. SSL with no warnings cost 8$ per year, and that should be enough, as there is no monetary risk. I'd be willing to sponsor that.
With the costs pretty much discarded as reason. Are the other reasons still blockers for moving forward on this?
MasterCassim commented :
You can even get free certificates @ www.startssl.com/ which are supported by most (all?) browsers.
brandolon commented :
If there is interest in pursuing this, I would be happy to help. I'm a software developer and I work quite frequently with SSL/TLS configuration and setup. With the advent of letsencrypt, the monetary cost of certificates won't be an issue although there will be an increased administrative cost to keeping all the certificates up to date. LetsEncrypt does not currently support wildcard certificates, but they do support Subject Alt Names which would allow all the $locale.lichess.org domains to be on the same certificate (the downside with Subject Alt Names is you can't just add a subdomain without getting the certificate resigned). I'll look for you on IRC and maybe we can chat about it.
4
Answered by lunaticMonk
Another thread mentions let's encrypt and cloudflare has https now. I would really like to see this implemented. I cringe when I see a sign up/login page using http.
letsencrypt.org/
1
Answered by arex
I strongly support TLS only. As mentioned by lunaticMonk, maybe letsencrypt.org/ changes the situation a bit?
1
Answered by om1665061
I think their is one plan and their might not.

Only registered members with one week of lichess activity can contribute to the Q&A.