It is currently Sat Jan 21, 2017 4:37 pm

All times are UTC - 7 hours





Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: HTTPS is broken
PostPosted: Sun Feb 21, 2016 5:48 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 17611
Location: NE Indiana, USA (NTSC)
I know someone who is unwilling to participate in the forum and wiki over HTTP but might consider it over HTTPS. As of right now, https://nesdev.com/, https://www.nesdev.com/, https://forums.nesdev.com/ and https://wiki.nesdev.com/ produce the following:
forums.nesdev.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
The certificate is only valid for localhost
The certificate expired on 07/25/2014 01:04 AM. The current time is 02/21/2016 07:39 PM.

(Error code: sec_error_unknown_issuer)

The barrier to implementing HTTPS used to be the cost of a separate IPv4 address per domain, but that ended in April 2014 when the last major SNI-ignorant desktop web browser (Internet Explorer for Windows XP) reached end of life. The barrier after that was the cost of TLS certificates, but since Let's Encrypt opened to the public, a TLS certificate is available without charge to the server administrator. What other barriers to making HTTPS work exist, other than the server administrator's time?


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Mar 17, 2016 1:35 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3178
Location: Mountain View, CA, USA
General brain dump from someone who's been doing this for a long, long time:

* Let's Encrypt certs expire every 30 days (apparently this has been increased to 90). There are "hacks" (as in shitty shell scripts, and generally borderline ridiculous nonsense) to try and "automate" getting a new cert + putting it in place via this method, which is disappointing when compared to, say, an actual decent CA (ex. NameCheap, Gandi, etc.) which will send you an Email reminding you that your certs need to be renewed before their expiry.

* Let's Encrypt doesn't support wildcard certificates citing some sort of ACME hard-on. Otherwise you're going to need a cert that's for the root domain (this is something CA-based wildcard certs don't actually give you in most cases -- it ends up having to be one of the names in your subjectAltName list, i.e. you have to pay for it), one for www, one for forums, one for wiki, and god knows what else. Someone will need to do a full review of all DNS records that point to said server.

Oh, and don't forget about any redirections for old names, e.g. https://nesdev.parodius.com --> https://nesdev.com will not work (I'm not going to get SSL for something legacy -- sorry). HTTP-to-HTTPS redirection is possible but "generally shunned" because it gives users a false sense of security when visiting legacy URLs.

* HTTPS is substantially slower and in some environments (very specific kinds of caching proxies) cannot be cached. One thing that's absolutely guaranteed is that the connection set-up time is substantially longer given the SSL negotiation overhead. SPDY helps with this, but SPDY isn't available in all webservers, and getting it to work correctly as a module in Apache is sometimes tedious at best. My point is, expect worse performance.

* Configuration of SSL/HTTPS -- meaning PROPER configuration, especially when CA/cert chains are involved! -- can be painful. Use of Qualys' SSL Test is highly useful, but the information given there isn't always immediately clear. How to configure Apache properly is substantially different than nginx, and the configuration methodology/approach even varies per CA (I'm not making this up -- it all depends on what the CA gives you back). I can't stress the importance of using Qualys' SSL Test. People screw up certificate chains all the time.

* Actual forum or software configuration bits. Sometimes changing the scheme (HTTP -> HTTPS) will break badly with software configurations that need to know what the scheme is. Forum software and wiki software come to mind -- I can imagine them botching internal links and so on unless configured correctly. And sometimes there's multiple places this needs to be done.

* HTTP-to-HTTPS redirections within the webserver itself (e.g. mod_rewrite, not HTTP header Location: redirects!) may need to be done for things like images, i.e. there may be old links in people's forum posts or wiki content that refer to the http:// version. You get to deal with "migrating" all of those over to https:// otherwise.

* The admin now needs to begin tracking OpenSSL security holes (usually one or two coming out every few months at this rate) and patches for OpenSSL for their OS and/or Linux distro. In other words: what wasn't a concern before now becomes a serious concern. Let's not discuss the feasibility of switching to WolfSSL or LibreSSL at this time -- let's remain practical/realistic.

In other words: "other than the administrator's time" is putting it very, very lightly. SSL is a total nightmare.

That said, my personal (I'd border on saying professional) opinion is this: the main reason people want HTTPS (for non-banking-related things) is because they're don't want their L/P credentials possibly sniffed and decoded. That's it. So really the only things I'd recommend HTTPS be considered for are the forum and the wiki. There's nothing on the main site that warrants use of HTTPS.

So, at NameCheap, that's either $9/year (if you had separate certs, one per hostname; PositiveSSL), or $30/year (one cert for both hostnames, one as CommonName the other as a subjectAltName; PositiveSSL Multi-Domain). At Let's Encrypt, that's either one or two certs (not sure which), and the admin gets to deal with a bunch of bullshit every 90 days -- and if they fail to deal with it, users get a wonderful warning (often a dialog box) telling them of the expiry until it's dealt with.


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Mar 17, 2016 5:04 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 17611
Location: NE Indiana, USA (NTSC)
koitsu wrote:
Oh, and don't forget about any redirections for old names, e.g. https://nesdev.parodius.com --> https://nesdev.com will not work (I'm not going to get SSL for something legacy -- sorry). HTTP-to-HTTPS redirection is possible but "generally shunned" because it gives users a false sense of security when visiting legacy URLs.

If you put a Strict-Transport-Security header on the HTTPS side, the browser will automatically do the redirection for you for page views after the first.

Quote:
* HTTPS is substantially slower and in some environments (very specific kinds of caching proxies) cannot be cached.

It can if the user of the caching proxy installs the caching proxy's root certificate. This is common in corporate environments.

Quote:
One thing that's absolutely guaranteed is that the connection set-up time is substantially longer given the SSL negotiation overhead.

Even if HTTP/2 (formerly SPDY) is unavailable, false start and keep-alive help with this.

Quote:
* HTTP-to-HTTPS redirections within the webserver itself (e.g. mod_rewrite, not HTTP header Location: redirects!) may need to be done for things like images, i.e. there may be old links in people's forum posts or wiki content that refer to the http:// version. You get to deal with "migrating" all of those over to https:// otherwise.

The Content Security Policy spec includes upgrade-insecure-requests, which instructs the browser to rewrite all HTTP URIs for scripts, images, and the like as HTTPS URIs.

Quote:
the main reason people want HTTPS (for non-banking-related things) is because they're don't want their L/P credentials possibly sniffed and decoded. That's it. So really the only things I'd recommend HTTPS be considered for are the forum and the wiki.

In other words, where I spend 99.9% of my time on the site.


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Aug 11, 2016 5:26 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 17611
Location: NE Indiana, USA (NTSC)
An update, based on several months of successful operation of Let's Encrypt and some recent events:

koitsu wrote:
* Let's Encrypt doesn't support wildcard certificates citing some sort of ACME hard-on. Otherwise you're going to need a cert that's for the root domain (this is something CA-based wildcard certs don't actually give you in most cases -- it ends up having to be one of the names in your subjectAltName list, i.e. you have to pay for it), one for www, one for forums, one for wiki, and god knows what else. Someone will need to do a full review of all DNS records that point to said server.

The SANs I can think of at the moment are 8bitalley.com, nesdev.com, www.nesdev.com, nesdev.parodius.com, forums.nesdev.com, wiki.nesdev.com, and the other hosted sites.

Quote:
* HTTPS is substantially slower and in some environments (very specific kinds of caching proxies) cannot be cached.

An intermediate caching proxy is also an intermediate rewriting-to-include-ransomware-links proxy.

Quote:
I can't stress the importance of using Qualys' SSL Test. People screw up certificate chains all the time.

Thanks for the recommendation.

Quote:
At Let's Encrypt, that's either one or two certs (not sure which), and the admin gets to deal with a bunch of bullshit every 90 days

The idea is that cron will deal with the bullshit every 60.


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Aug 11, 2016 7:42 pm 
Offline

Joined: Sat Oct 02, 2004 12:07 pm
Posts: 160
Just so you all know,I'm working on coming up with funding to get a newer server, when and if I can come up with the money I will get proper HTTPS setup and a more traditional hosting system for hosted sites

_________________
i dont have much to say


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Sat Aug 13, 2016 4:59 pm 
Offline
User avatar

Joined: Thu Jan 03, 2008 1:48 pm
Posts: 431
WhoaMan, just start a donation post for PM donations in General. :)


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Mon Aug 15, 2016 10:49 pm 
Offline
User avatar

Joined: Sat Jul 12, 2014 3:04 pm
Posts: 633
B00daW wrote:
WhoaMan, just start a donation post for PM donations in General. :)

This.


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Sep 08, 2016 1:39 pm 
Offline
User avatar

Joined: Mon Feb 07, 2011 12:46 pm
Posts: 862
It should be made available both HTTP and HTTPS, if it can be done. HSTS is bad and don't use it, and don't implement it in the client-side either (I have hacked out HSTS from Firefox).

_________________
.


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Mon Sep 12, 2016 11:42 pm 
Offline

Joined: Sat Oct 02, 2004 12:07 pm
Posts: 160
HTTPS works now :)

_________________
i dont have much to say


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Wed Sep 14, 2016 3:57 pm 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 497
Works, but HTTP doesn't work any longer (it's automatically redirecting to HTTPS). Encryption is nice, but it's also slower, at least on old computers.
Which, well, I guess nobody but me is having any problems with it. And even with the encryption, nesdev does still feel faster than sites like wikipedia or facebook.
Anyways, an option to disable HTTP-to-HTTPS redirection would be nice for retro people with old hardware. This is an 8bit forum after all : )

EDIT: Now it's working again, and it's really loading faster that way. Thanks for fixing!


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Sep 15, 2016 5:13 pm 
Offline
Formerly 43110
User avatar

Joined: Wed Feb 05, 2014 7:01 am
Posts: 247
OK, is there a way to enable HTTP-to-HTTPS redirection? Because without that, anything can just downgrade the connection. The links within this site, and malicious downgrade attacks outside this site.[citation needed]


Last edited by JRoatch on Thu Sep 15, 2016 5:23 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Sep 15, 2016 5:15 pm 
Online

Joined: Sun Apr 13, 2008 11:12 am
Posts: 5190
Location: Seattle
Why not just bookmark the HTTPS version instead?


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Sep 15, 2016 5:18 pm 
Offline
Formerly 43110
User avatar

Joined: Wed Feb 05, 2014 7:01 am
Posts: 247
lidnariq wrote:
Why not just bookmark the HTTPS version instead?

Doesn't work. As I just edited, practically every link will just revert the connection back to HTTP.


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Sep 15, 2016 5:28 pm 
Online

Joined: Sun Apr 13, 2008 11:12 am
Posts: 5190
Location: Seattle
I wonder what's breaking for you?

It's working for me: this reply was made from the https URL, clicked on the "reply" button and stayed on the https version, and followed links that stayed on the https version. Both forum and wiki.

Could be the proxy, maybe?



That said, the very front page is using http (rather than protocol-relative) links for its stylesteet and favicon


Top
 Profile  
 
 Post subject: Re: HTTPS is broken
PostPosted: Thu Sep 15, 2016 6:37 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 17611
Location: NE Indiana, USA (NTSC)
I've added a private custom profile field "Redirect to HTTPS" of type Boolean. How easy would it be to wire up automatic redirection if and only if this is checked?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group