OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 9:59 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Wed Jan 09, 2019 5:22 am 
Offline
Member
Member
User avatar

Joined: Thu Jul 12, 2012 7:29 am
Posts: 723
Location: Tallinn, Estonia
MichaelFarthing wrote:
We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?


For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.

_________________
Learn to read.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Wed Jan 09, 2019 6:06 am 
Offline
Member
Member
User avatar

Joined: Thu Mar 10, 2016 7:35 am
Posts: 167
Location: Lancaster, England, Disunited Kingdom
dozniak wrote:
MichaelFarthing wrote:
We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?


For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.


Both of these things frighten me as much as losing a coin in the street or accidentally finding myself in a butcher's shop instead of a greengrocer's - though both of the internet problems are far less likely to actually happen.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Wed Jan 09, 2019 10:01 am 
Offline
Member
Member
User avatar

Joined: Thu Jul 12, 2012 7:29 am
Posts: 723
Location: Tallinn, Estonia
MichaelFarthing wrote:
Both of these things frighten me as much as losing a coin in the street


You maybe, but there are other people on the internets as well.

_________________
Learn to read.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Wed Jan 09, 2019 12:12 pm 
Offline
Member
Member
User avatar

Joined: Fri Oct 27, 2006 9:42 am
Posts: 1925
Location: Athens, GA, USA
MichaelFarthing wrote:
Why on Earth does it matter except that some large corporations are trying to bully everyone?


Because those large organizations can make the sites that don't use HTTPS inaccessible using most browsers. How many browsers do you know of that don't use one of the major engines? How many of those would you find usable with the majority of (usually lousy and bug-ridden, but that's another story) websites you have reason to go to?

Seriously, while they've pushed off the plans to make their browsers "all HTTPS all the time", all the major players are on board with the idea. As I understand it, there is serious thought by the IETF of deprecating unsecured HTTP entirely. The days when you could get write a simple HTTP server and serve your own site are long over, for better or for worse.

Mind you, I am surprised it's taken this long, because honestly, the fact that it wasn't secured from the outset has been the source of endless problems. Sir Tim had no idea his baby would go as far as it did - he just thought it was a neat way to share pre-publication papers with people who weren't physically at CERN. Yea do many things come to pass fnord.

And at this point, the topic is moot; the forum has in fact switched over, as said already.

_________________
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 3:10 am 
Offline
Member
Member
User avatar

Joined: Thu Mar 10, 2016 7:35 am
Posts: 167
Location: Lancaster, England, Disunited Kingdom
What this says is that it matters because some large bully corporations say it does. It is true that sensitive websites need it. This is not one such.

It is necessary that the House of Commons, airports, prisons and Courts need security checks. Pubs don't.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 6:53 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4591
Location: Chichester, UK
You wouldn't want people posting stuff you couldn't trust on an internet forum, would you. :wink:


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 8:41 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7612
Location: Germany
MichaelFarthing wrote:
dozniak wrote:
For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.


Both of these things frighten me as much as losing a coin in the street or accidentally finding myself in a butcher's shop instead of a greengrocer's - though both of the internet problems are far less likely to actually happen.


That utter failure to actually think about, "what is the worst that can happen".

Just two variations on the identity theft part:

1) Someone posting insults and threats in your name. Believe it or not, those are actionable offenses in the real world, and all the evidence points to you as the offender. At the very least, your reputation will take a sharp dip.

2) Someone hijacking a moderator account and using it to corrupt or outright destroy content.

Perhaps "frighten" is not the right word, but it's certainly enough to be a bloody nuisance. How often, do you think, would chase be willing to restore vandalized content from backups or fight off lawsuits for stuff that's been injected here by malicious attackers before he says, "forget it, I am closing down the site"?

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 9:33 am 
Offline
Member
Member
User avatar

Joined: Thu Mar 10, 2016 7:35 am
Posts: 167
Location: Lancaster, England, Disunited Kingdom
Well it's managed upwards of 10 years I think?


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 11:24 am 
Offline
Member
Member
User avatar

Joined: Fri Oct 27, 2006 9:42 am
Posts: 1925
Location: Athens, GA, USA
MichaelFarthing wrote:
What this says is that it matters because some large bully corporations say it does. It is true that sensitive websites need it. This is not one such.

It is necessary that the House of Commons, airports, prisons and Courts need security checks. Pubs don't.


Conversations in pubs don't linger decades after you are dead (OK, so that's shifting the topic a bit, as HTTP/HTTPS connections are potentially just as ephemeral as personal conversations, but whatever.) And I'll bet that if you thought your brother-in-law was in earshot, you'd be more guarded in your words than if it was just you and some friends whom you trusted, even if you didn't have any secrets to hide from your wife.

More importantly, just because you are being pressured to do something that is itself a good idea doesn't mean it isn't a good idea.

An oft-repeated (and equally often misconstrued) truism of the RISKS list goes, if you are only encrypting what you want to hide, all it does is wave a flag saying, "here's the secret stuff!". Even if privacy isn't a concern right now, it is a concern at other times, and going from not hiding things to hiding them is by itself crucial signals intel should anyone have a reason to listen in (they rarely do, at least on individuals; most of the really important data is in tracking demographic trends, not the activities of specific indiduals - that is, they don't care what Joe Blow had for dinner last night, but they do care that 10,000 in his hometown had Burger King compared to 12,000 who had MacDonalds).

(Though to be fair, it has been years I've read RISKS on a regular basis. I also want to point to the tangentially related topic of spread-spectrum transmission and frequency hopping, but that's going too far afield so I'll just give those links for others to follow up on; suffice it to say, it's important enough that even your Bluetooth headphones both encrypt your data and frequency hop, regardless of whether the data itself is important or not.)

As I said, this is something which would have been an intrinsic part of the Web from the outset, had anyone thought about it. It is appalling that cleartext HTTP transmissions were ever a thing in the first place - though admittedly, it is unlikely that it would have exploded the way it did if the bar for implementing a webserver had been higher early on, it would have put a much higher computation cost on things which would have been onerous for the hardware of the time, and there would have been political pushback on it (given the way governments were about encryption at the time - much worse than they are today, and that's saying a lot), so it's not a clear-cut matter in some ways.

_________________
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 12:18 pm 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7612
Location: Germany
MichaelFarthing wrote:
Well it's managed upwards of 10 years I think?


You really want to field "it worked so far" as a genuine argument in a discussion? :shock:

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Thu Jan 10, 2019 2:30 pm 
Offline
Member
Member

Joined: Wed Aug 30, 2017 8:24 am
Posts: 1593
Schol-R-LEA wrote:
Seriously, while they've pushed off the plans to make their browsers "all HTTPS all the time", all the major players are on board with the idea. As I understand it, there is serious thought by the IETF of deprecating unsecured HTTP entirely. The days when you could get write a simple HTTP server and serve your own site are long over, for better or for worse.


Yeah, and it appears that these people have absolutely no clue what they are doing with that. The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.

_________________
Carpe diem!


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Fri Jan 11, 2019 1:52 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7612
Location: Germany
nullplan wrote:
The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.


Curious. I usually get a message along the lines of "this WiFi network requires authentication" automatically as the WiFi connection is established -- i.e. before I even open a browser. At which point I am taken to a webpage where I can accept or decline the terms of service, and acknowledge the login.

In fact the only times I've seen HTTP intercept the way you described was with, let's say, "homegrown" installations.

So I guess the way "this is generally accomplished" is a bit more sophisticated than intercepting your first HTTP request. :wink:

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Sat Jan 12, 2019 10:13 am 
Offline
Member
Member

Joined: Thu May 17, 2007 1:27 pm
Posts: 999
Solar wrote:
So I guess the way "this is generally accomplished" is a bit more sophisticated than intercepting your first HTTP request. :wink:

I don't think that's the case. In my experience, it works the way that nullplan explained. However, modern OS know that it works that way and do a HTTP request to trigger the portal. For example, Android checks http://connectivitycheck.gstatic.com/generate_204 (and shows the "this WiFi networks requires a login" message if the request does not return the expected 204).

_________________
managarm: Microkernel-based OS capable of running a Wayland desktop (Discord: https://discord.gg/7WB6Ur3). My OS-dev projects: [mlibc: Portable C library for managarm, qword, Linux, Sigma, ...] [LAI: AML interpreter] [xbstrap: Build system for OS distributions].


Top
 Profile  
 
 Post subject: Re: Why isn't the wiki/forum using HTTPS ?
PostPosted: Mon Jan 14, 2019 6:09 pm 
Offline
Site Admin
User avatar

Joined: Wed Oct 20, 2004 10:46 pm
Posts: 684
Location: Texas
nullplan wrote:
The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.


I use http://neverssl.com/ for that.

Edit: Little bit more about what Korona mentioned, what they do is try to load a known http:// URL when connecting to a wifi network and if they get back a response other than expected then the network probably requires a login. Here is a list of the URLs that various OSes/Devices use - https://enterprisenetworkingatlarge.wor ... p-vendors/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ]  Go to page Previous  1, 2

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group