TLS for OSDev Website?

Questions, comments, and suggestions about this site should go here.
User avatar
Kazinsal
Member
Member
Posts: 559
Joined: Wed Jul 13, 2011 7:38 pm
Libera.chat IRC: Kazinsal
Location: Vancouver
Contact:

Re: TLS for OSDev Website?

Post by Kazinsal »

Hey, here's a cool thing -- I've worked with numerous PHP applications that sh!t the bed if you convert them from HTTP to HTTPS.

Also, I'm a network engineer. I deal with OSI and TCP/IP stack crap daily and get paid for it. I know what I'm talking about.
onlyonemac
Member
Member
Posts: 1146
Joined: Sat Mar 01, 2014 2:59 pm

Re: TLS for OSDev Website?

Post by onlyonemac »

It's still not that hard. In fact that's not even required, just recommended (as it prevents users from accidentally sending their existing authentication cookies over HTTP).
When you start writing an OS you do the minimum possible to get the x86 processor in a usable state, then you try to get as far away from it as possible.

Syntax checkup:
Wrong: OS's, IRQ's, zero'ing
Right: OSes, IRQs, zeroing
SenorContento
Posts: 2
Joined: Thu Oct 06, 2016 10:08 am
Libera.chat IRC: SenorContento
Contact:

Re: TLS for OSDev Website?

Post by SenorContento »

I actually forgot about this until I just saw that another service I use has the same issue, but to answer your concern Kazinsal, while I don't doubt you have used a lot of PHP applications that would lose it if they had TLS implemented into it, I do know for a fact that one can use nginx to implement a proxy to any web based server. Last year, I had tested this when I created my own personal certificate authority and loaded up a Jekyll server over nginx on localhost. Jekyll has no knowledge about anything that is going on with encryption and gets the same headers as usual. An example I have just loaded for this post is located at https://pastebin.com/hEsV08Sn. The PHP server itself will never know the difference. Proof of this is a sample capture I took when loading https://duckduckgo.com/ on Firefox. The capture is located at https://pastebin.com/Yx2fW64G.
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: TLS for OSDev Website?

Post by dozniak »

Kazinsal wrote:Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt.
It's exactly that simple - you tell reverse proxy to accept only https connections and add a server cert (or let letsencrypt install it) and that is exactly all that is needed, phpBB or not.

Are you sure you're a network engineer?
Learn to read.
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: TLS for OSDev Website?

Post by Schol-R-LEA »

Sorry to dredge up this long-dead thread, but I assume all of you are aware that two of the major browsers have deprecated unencrypted HTTP and are planning on dropping support for it in the next two years? This has been on Google's plate for two years now and Mozilla followed suit soon after. It is a safe bet that where Google goes, WebKit will follow. I don't know what Microsoft's plans for Edge are, nor Apple's for Safari, but I expect that they have similar plans. Chrome has been warning about logins that use cleartext HTTP with a positive-confirmation pop-up since last September.

It is rapidly approaching the already far too long delayed day when unsecured HTTP won't be an option on the public Web.
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
User avatar
matt11235
Member
Member
Posts: 286
Joined: Tue Aug 02, 2016 1:52 pm
Location: East Riding of Yorkshire, UK

Re: TLS for OSDev Website?

Post by matt11235 »

Schol-R-LEA wrote:Sorry to dredge up this long-dead thread, but I assume all of you are aware that two of the major browsers have deprecated unencrypted HTTP and are planning on dropping support for it in the next two years? This has been on Google's plate for two years now and Mozilla followed suit soon after. It is a safe bet that where Google goes, WebKit will follow. I don't know what Microsoft's plans for Edge are, nor Apple's for Safari, but I expect that they have similar plans. Chrome has been warning about logins that use cleartext HTTP with a positive-confirmation pop-up since last September.

It is rapidly approaching the already far too long delayed day when unsecured HTTP won't be an option on the public Web.
Yeah the browser warnings are scary. Additionally I think that Google are starting to rank insecure websites lower in searches which isn't a good thing.
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: TLS for OSDev Website?

Post by dozniak »

letsencrypt.org guys, but with Chase not paying much attention there's no redemption.

I could host this all myself but I guess proper migration will be a mess.
Learn to read.
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: TLS for OSDev Website?

Post by Schol-R-LEA »

Yes, they have, it was mentioned earlier in the thread. But the plan is that eventually, sometime relatively soon, it won't use unsecured HTTP at all. The protocol itself - the base protocol for the Web throughout its lifetime up until now - is slated for removal on both of those browsers. They haven't announced cut-off dates, but it is expected to be sometime before October 2018 AFAIK.
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: TLS for OSDev Website?

Post by bluemoon »

The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.
User avatar
matt11235
Member
Member
Posts: 286
Joined: Tue Aug 02, 2016 1:52 pm
Location: East Riding of Yorkshire, UK

Re: TLS for OSDev Website?

Post by matt11235 »

bluemoon wrote:The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.
I found the automation in Let's Encrypt to be really good. With nginx I just ran the script and added an entry into my crontab file. I think there's stuff in Let's Encrypt for Apache too so I presume it'd be similar.
com.sun.java.swing.plaf.nimbus.InternalFrameInternalFrameTitlePaneInternalFrameTitlePaneMaximizeButtonWindowNotFocusedState
Compiler Development Forum
glauxosdever
Member
Member
Posts: 501
Joined: Wed Jun 17, 2015 9:40 am
Libera.chat IRC: glauxosdever
Location: Athens, Greece

Re: TLS for OSDev Website?

Post by glauxosdever »

Hi,


Speaking of chase, do we know what's going on with him? It's been 18 months since his last login. Is it something to be concerned about (like some bad health status), or just he simply gave up server administration? (I know that Brendan is the forum administrator currently, but what about the server administrator?)

If anyone knows, please shed some light about this.


Regards,
glauxosdever
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:

Re: TLS for OSDev Website?

Post by Brendan »

Hi,
glauxosdever wrote:Speaking of chase, do we know what's going on with him? It's been 18 months since his last login. Is it something to be concerned about (like some bad health status), or just he simply gave up server administration? (I know that Brendan is the forum administrator currently, but what about the server administrator?)

If anyone knows, please shed some light about this.
Chase is just busy doing other things (mostly involving Java as far as I can tell, based on some stalking that led to GIThub commits as recent as March 2017). I wouldn't be too surprised if pops up when nobody is expecting it, makes a pile of changes/updates, then doesn't log in for another 18 months. :)


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
glauxosdever
Member
Member
Posts: 501
Joined: Wed Jun 17, 2015 9:40 am
Libera.chat IRC: glauxosdever
Location: Athens, Greece

Re: TLS for OSDev Website?

Post by glauxosdever »

Hi,


Ok, this is encouraging. I was afraid something bad had happened to him.


Regards,
glauxosdever
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: TLS for OSDev Website?

Post by dozniak »

bluemoon wrote:The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.
There are nice good web servers (read: Caddy) that do ENTIRE renewal process for you, automatically and with no work. I'm using it in prod and it works perfectly.
Learn to read.
Post Reply