Search terms not being properly encrypted between SmartScopes server and Reddit

After further investigating it seems like the leak to reddit mods occurs because the scope uses https://reddit.com versus https://ssl.reddit.com which is called for by the API for SSL queries.

David,

Just a note the reason it was leaking data on https://reddit.com is because Reddit uses Akamai CDN for their site to scale to traffic but they do not use the SSL service because SSL via CDN providers is expensive. Instead they enable SSL via https://ssl.reddit.com using their API.

But FWIW I also do not think you can simply just change the url I think you need to make some small changes to properly make the calls via oauth2 otherwise it may kick back the call still.

https://github.com/reddit/reddit/wiki/OAuth2

Here on SSL not working on https://reddit.com and instead redirecting queries back to http http://www.reddit.com/r/redditdev/comments/155hs3/recent_problem_with_sslenabled_reddit/c7jn53u

I tested out https://reddit.com using the same query the scope works and confirmed it does the kickback to http.

So looking at the scope more closely and their documentation I do not think changing out will work as you have in your proposed change. I think you will need to rewrite the scope to use Reddit's API and register a "Installed App" and get a token and secret otherwise it seems without using oauth and having a registered app their API will kick back queries too although with a app and token/secret you can pass searches using their API and they will be via HTTPS.

Marking Public Security since privacy is not needed.

The certificate on https://reddit.com is invalid, so either the code wasn't working at all, which means it wasn't leaking, or it's not checking certs properly, which means changing it to https://ssl.reddit.com will still result in a MITM being able to capture traffic.

Thanks for all that info, I'm looking into it. For the record all this happens between the SmartScopes Server and Reddit, the data provider can't correlate queries with a specific user.

Marc,

https://reddit.com redirects to http because its Akaimai. They setup SSL.reddit.com specifically for SSL and apps so no risk there.

David,

Yeah I had not realized scopes now were on a canonical server this is probably a good thing. I haven't really followed the feature.

Benjamin,

I don't think you quite understand what I'm saying. If the code worked with https://reddit.com and an invalid certificate, it means it's not properly doing certificate validation. Just changing the URL to https://ssl.reddit.com isn't enough to prevent a MITM, the certificate validation needs to be fixed also.