Enabling HTTPS?

XMIT · 11 Apr 2015, 13:40

I tried just now to visit an HTTPS version of a page, e.g.:

workshop-f7/tmk-keyboard-firmware-collection-t4478.html

I clicked through a warning for a dodgy certificate and saw this error:

404 Not Found
The server can not find the requested page:

deskthority.net/workshop-f7/tmk-keyboard-firmware-collection-t4478.html (port 443)
Please forward this error screen to deskthority.net's WebMaster.

What do we think? Should we enable HTTPS?

scottc · 11 Apr 2015, 14:01

I think that HTTPS is definitely a good idea. Even if shelling out to the SSL Mafia for a cert isn't an option right now, we could always use a service like StartSSL temporarily. At least we'd then have functional SSL for users that really wanted it.

bhtooefr · 11 Apr 2015, 14:28

The big thing with StartSSL is that a revocation is $25.

However, they're widely trusted, and as long as you don't need a wildcard cert, and you're fine with only having one cert per domain for free (that cert applying to a named server and to the apex domain, which would probably be fine for Deskthority)...

Myself, I'd say mandate HTTPS at least for sign-in, too, once it's enabled.

Also, when setting up HTTPS, make sure the CSR is generated with -sha256, and consider how much you want to support, right now some very insecure stuff is being supported: https://www.ssllabs.com/ssltest/analyze ... Results=on

At least disable SSLv3 (it'll break IE 6 on XP, but if someone's still using IE 6 on XP, they deserve to not get in), IMO.

SL89 · 11 Apr 2015, 14:47

I'd really like this.

Mal-2 · 11 Apr 2015, 20:09

I like the idea. I'm in favor of the idea that every site that can "go dark" to in-flight surveillance should do so. Piss in the fishbowl.

SL89 · 11 Apr 2015, 20:21

that and there is a lot of financial transactions that go on here.

XMIT · 11 Apr 2015, 20:24

I'm pro-HTTPS if this wasn't clear. Let's see what webwit says.

SL89 · 11 Apr 2015, 20:27

Same, and if donations are required to enable it (im not 100% on how one gets the proper certs) then I'd pony up.

wlhlm · 11 Apr 2015, 21:05

I'd like to see SSL implemented as well.

elecplus · 11 Apr 2015, 21:06

Me too. I will donate for the cost if necessary

webwit · 11 Apr 2015, 21:27

We have the money, just need to find some time. We need to move server sometime this year, that might be a good opportunity.

SL89 · 11 Apr 2015, 21:46

Good to know.

wlhlm · 22 Jun 2015, 12:43

webwit wrote: We have the money, just need to find some time. We need to move server sometime this year, that might be a good opportunity.

Now after the server move, how about enabling HTTPS? What's the status?

ramnes · 22 Jun 2015, 12:58

Just wait for free HTTPS certificates to come up, no need to rush. My data exchanged with DT isn't really secret anyway.

wlhlm · 22 Jun 2015, 13:05

Sure, Deskthority data doesn't demand the highest security, but I'm mainly interested in integrity. There are plenty of ISPs that tamper with your HTTP traffic, inserting ads for example.

XMIT · 22 Jun 2015, 13:40

I would feel a little better about all of the sales I do here with HTTPS enabled. I agree with the above points.

jou · 22 Jun 2015, 13:49

And not to forget it prevents session hijacking when on a public WiFi…

scottc · 20 Jul 2015, 14:55

SSL! SSL! SSL! SSL!

Muirium · 20 Jul 2015, 15:21

Who's paying for the certificate?

seebart · 20 Jul 2015, 15:23

The certificate costs...how much?

Muirium · 20 Jul 2015, 15:26

Hmm… Wikipedia flails its hands around in confusion:

Wikipedia wrote:Authoritatively signed certificates may be free[22][23] or cost between 8 USD[24] and 70 USD[25] per year (in 2012–2014).

I assumed they were in the region of hundreds to thousands per year, as with any effective toll on the internet. Anyway, I am not the one to implement stuff like this. My assigned rôle is more about coordinated grumbling, as you know.

XMIT · 20 Jul 2015, 15:30

Yes please. Isn't this the sort of thing club dues cover?

Muirium · 20 Jul 2015, 15:32

No, those are for the DT yacht. We'd need to bake cookies and hold a raffle for this one.

seebart · 20 Jul 2015, 15:36

Muirium wrote:My assigned rôle is more about coordinated grumbling, as you know.

Which you have mastered.

andrewjoy · 20 Jul 2015, 15:45

SSL would be awesome, 2048 bit as a minimum i would say.

Madhias · 20 Jul 2015, 15:57

Muirium wrote: Hmm… Wikipedia flails its hands around in confusion:
Wikipedia wrote:Authoritatively signed certificates may be free[22][23] or cost between 8 USD[24] and 70 USD[25] per year (in 2012–2014).
I assumed they were in the region of hundreds to thousands per year, as with any effective toll on the internet. Anyway, I am not the one to implement stuff like this. My assigned rôle is more about coordinated grumbling, as you know.

It depends what certificate options you choose and for how many subdomains, for example at Thawte one year ranges from € 99 to € 249. To see a domain with the green symbol in the browser bar costs more for example. At work we are using the cheapest one for the mail server, and I get permanent questions from users that the browser warns about a safety issue.

SL89 · 20 Jul 2015, 16:44

Madhias wrote:
Muirium wrote: Hmm… Wikipedia flails its hands around in confusion:
Wikipedia wrote:Authoritatively signed certificates may be free[22][23] or cost between 8 USD[24] and 70 USD[25] per year (in 2012–2014).
I assumed they were in the region of hundreds to thousands per year, as with any effective toll on the internet. Anyway, I am not the one to implement stuff like this. My assigned rôle is more about coordinated grumbling, as you know.
It depends what certificate options you choose and for how many subdomains, for example at Thawte one year ranges from € 99 to € 249. To see a domain with the green symbol in the browser bar costs more for example. At work we are using the cheapest one for the mail server, and I get permanent questions from users that the browser warns about a safety issue.

Our certificate expired at work, and I can't get the powers that be to listen about how neurotic that makes some users.

Muirium · 20 Jul 2015, 16:54

So, you guys are arguing in favour of bogging the site down with an awkward layer of TSA style security theatre that will wreck our experience on just the kind of vintage hardware we're into (I often visit on my PowerBook and very frequently on the iPad 1), that gives our sever something else to chew on with every page served (far as my limited technical understanding on encryption suggests) *and* that we have the honour of paying for on a routine basis, beholden to douchey troll firms that can name their price, who clearly do so with nonsense that trips up many users with browser warnings on lower cost certs?

Yeah, sounds great. We need all that! How did we ever survive until now!

andrewjoy · 20 Jul 2015, 16:55

Yeh its annoying , we use self signed for our open directory , but i am the only one who can tell

apple configuration profiles are awesome for that

.

On slowing stuff down. It will slow things down a little , but security is important.

bhtooefr · 20 Jul 2015, 17:46

Mind you, it won't be long before the web starts getting deprecated if HTTPS isn't being used, by Chrome and Firefox.

And by "deprecated", I mean that most likely JavaScript will end up disabled entirely, which will degrade the experience for the vast majority of users.

And, between StartCom (although they charge for revocation) and Let's Encrypt, it can be free.

And, I wouldn't take OS X before 10.10.4 (the only supported version, as there's at least one WONTFIX'd critical security vulnerability in OS X 10.9) - or any unsupported *nix - on the public Internet, at this time. And, isn't the iPad 1 stuck at an old unsupported iOS, too? So, that counts as an unsupported OS X too. 9.2.2 would actually be a safer bet online - even if it has no security model to speak of, it's not vulnerable to actual existing threats.