OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 11:10 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: TLS for OSDev Website?
PostPosted: Sun Oct 16, 2016 11:54 pm 
Offline
Member
Member
User avatar

Joined: Wed Jul 13, 2011 7:38 pm
Posts: 558
Hey, here's a cool thing -- I've worked with numerous PHP applications that sh!t the bed if you convert them from HTTP to HTTPS.

Also, I'm a network engineer. I deal with OSI and TCP/IP stack crap daily and get paid for it. I know what I'm talking about.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Mon Oct 17, 2016 12:27 am 
Offline
Member
Member

Joined: Sat Mar 01, 2014 2:59 pm
Posts: 1146
It's still not that hard. In fact that's not even required, just recommended (as it prevents users from accidentally sending their existing authentication cookies over HTTP).

_________________
When you start writing an OS you do the minimum possible to get the x86 processor in a usable state, then you try to get as far away from it as possible.

Syntax checkup:
Wrong: OS's, IRQ's, zero'ing
Right: OSes, IRQs, zeroing


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Wed Jan 25, 2017 12:42 am 
Offline

Joined: Thu Oct 06, 2016 10:08 am
Posts: 2
I actually forgot about this until I just saw that another service I use has the same issue, but to answer your concern Kazinsal, while I don't doubt you have used a lot of PHP applications that would lose it if they had TLS implemented into it, I do know for a fact that one can use nginx to implement a proxy to any web based server. Last year, I had tested this when I created my own personal certificate authority and loaded up a Jekyll server over nginx on localhost. Jekyll has no knowledge about anything that is going on with encryption and gets the same headers as usual. An example I have just loaded for this post is located at https://pastebin.com/hEsV08Sn. The PHP server itself will never know the difference. Proof of this is a sample capture I took when loading https://duckduckgo.com/ on Firefox. The capture is located at https://pastebin.com/Yx2fW64G.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Wed Jan 25, 2017 1:28 am 
Offline
Member
Member
User avatar

Joined: Thu Jul 12, 2012 7:29 am
Posts: 723
Location: Tallinn, Estonia
Kazinsal wrote:
Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt.


It's exactly that simple - you tell reverse proxy to accept only https connections and add a server cert (or let letsencrypt install it) and that is exactly all that is needed, phpBB or not.

Are you sure you're a network engineer?

_________________
Learn to read.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 8:23 am 
Offline
Member
Member
User avatar

Joined: Fri Oct 27, 2006 9:42 am
Posts: 1925
Location: Athens, GA, USA
Sorry to dredge up this long-dead thread, but I assume all of you are aware that two of the major browsers have deprecated unencrypted HTTP and are planning on dropping support for it in the next two years? This has been on Google's plate for two years now and Mozilla followed suit soon after. It is a safe bet that where Google goes, WebKit will follow. I don't know what Microsoft's plans for Edge are, nor Apple's for Safari, but I expect that they have similar plans. Chrome has been warning about logins that use cleartext HTTP with a positive-confirmation pop-up since last September.

It is rapidly approaching the already far too long delayed day when unsecured HTTP won't be an option on the public Web.

_________________
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 8:30 am 
Offline
Member
Member
User avatar

Joined: Tue Aug 02, 2016 1:52 pm
Posts: 286
Location: East Riding of Yorkshire, UK
Schol-R-LEA wrote:
Sorry to dredge up this long-dead thread, but I assume all of you are aware that two of the major browsers have deprecated unencrypted HTTP and are planning on dropping support for it in the next two years? This has been on Google's plate for two years now and Mozilla followed suit soon after. It is a safe bet that where Google goes, WebKit will follow. I don't know what Microsoft's plans for Edge are, nor Apple's for Safari, but I expect that they have similar plans. Chrome has been warning about logins that use cleartext HTTP with a positive-confirmation pop-up since last September.

It is rapidly approaching the already far too long delayed day when unsecured HTTP won't be an option on the public Web.
Yeah the browser warnings are scary. Additionally I think that Google are starting to rank insecure websites lower in searches which isn't a good thing.

_________________
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 8:39 am 
Offline
Member
Member
User avatar

Joined: Thu Jul 12, 2012 7:29 am
Posts: 723
Location: Tallinn, Estonia
letsencrypt.org guys, but with Chase not paying much attention there's no redemption.

I could host this all myself but I guess proper migration will be a mess.

_________________
Learn to read.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 8:41 am 
Offline
Member
Member
User avatar

Joined: Fri Oct 27, 2006 9:42 am
Posts: 1925
Location: Athens, GA, USA
Yes, they have, it was mentioned earlier in the thread. But the plan is that eventually, sometime relatively soon, it won't use unsecured HTTP at all. The protocol itself - the base protocol for the Web throughout its lifetime up until now - is slated for removal on both of those browsers. They haven't announced cut-off dates, but it is expected to be sometime before October 2018 AFAIK.

_________________
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 9:26 am 
Offline
Member
Member
User avatar

Joined: Wed Dec 01, 2010 3:41 am
Posts: 1761
Location: Hong Kong
The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 9:48 am 
Offline
Member
Member
User avatar

Joined: Tue Aug 02, 2016 1:52 pm
Posts: 286
Location: East Riding of Yorkshire, UK
bluemoon wrote:
The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.
I found the automation in Let's Encrypt to be really good. With nginx I just ran the script and added an entry into my crontab file. I think there's stuff in Let's Encrypt for Apache too so I presume it'd be similar.

_________________
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 11:33 am 
Offline
Member
Member

Joined: Wed Jun 17, 2015 9:40 am
Posts: 501
Location: Athens, Greece
Hi,


Speaking of chase, do we know what's going on with him? It's been 18 months since his last login. Is it something to be concerned about (like some bad health status), or just he simply gave up server administration? (I know that Brendan is the forum administrator currently, but what about the server administrator?)

If anyone knows, please shed some light about this.


Regards,
glauxosdever


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 1:36 pm 
Offline
Member
Member
User avatar

Joined: Sat Jan 15, 2005 12:00 am
Posts: 8561
Location: At his keyboard!
Hi,

glauxosdever wrote:
Speaking of chase, do we know what's going on with him? It's been 18 months since his last login. Is it something to be concerned about (like some bad health status), or just he simply gave up server administration? (I know that Brendan is the forum administrator currently, but what about the server administrator?)

If anyone knows, please shed some light about this.


Chase is just busy doing other things (mostly involving Java as far as I can tell, based on some stalking that led to GIThub commits as recent as March 2017). I wouldn't be too surprised if pops up when nobody is expecting it, makes a pile of changes/updates, then doesn't log in for another 18 months. :)


Cheers,

Brendan

_________________
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Thu May 04, 2017 2:15 pm 
Offline
Member
Member

Joined: Wed Jun 17, 2015 9:40 am
Posts: 501
Location: Athens, Greece
Hi,


Ok, this is encouraging. I was afraid something bad had happened to him.


Regards,
glauxosdever


Top
 Profile  
 
 Post subject: Re: TLS for OSDev Website?
PostPosted: Fri May 05, 2017 12:20 am 
Offline
Member
Member
User avatar

Joined: Thu Jul 12, 2012 7:29 am
Posts: 723
Location: Tallinn, Estonia
bluemoon wrote:
The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.


There are nice good web servers (read: Caddy) that do ENTIRE renewal process for you, automatically and with no work. I'm using it in prod and it works perfectly.

_________________
Learn to read.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group