deskthority

I tried just now to visit an HTTPS version of a page, e.g.:

workshop-f7/tmk-keyboard-firmware-collection-t4478.html

I clicked through a warning for a dodgy certificate and saw this error:

404 Not Found
The server can not find the requested page:

deskthority.net/workshop-f7/tmk-keyboard-firmware-collection-t4478.html (port 443)
Please forward this error screen to deskthority.net's WebMaster.


What do we think? Should we enable HTTPS?

I think that HTTPS is definitely a good idea. Even if shelling out to the SSL Mafia for a cert isn't an option right now, we could always use a service like StartSSL temporarily. At least we'd then have functional SSL for users that really wanted it.

The big thing with StartSSL is that a revocation is $25.

However, they're widely trusted, and as long as you don't need a wildcard cert, and you're fine with only having one cert per domain for free (that cert applying to a named server and to the apex domain, which would probably be fine for Deskthority)...

Myself, I'd say mandate HTTPS at least for sign-in, too, once it's enabled.

Also, when setting up HTTPS, make sure the CSR is generated with -sha256, and consider how much you want to support, right now some very insecure stuff is being supported: https://www.ssllabs.com/ssltest/analyze ... Results=on

At least disable SSLv3 (it'll break IE 6 on XP, but if someone's still using IE 6 on XP, they deserve to not get in), IMO.

I'd really like this.

I like the idea. I'm in favor of the idea that every site that can "go dark" to in-flight surveillance should do so. Piss in the fishbowl.

that and there is a lot of financial transactions that go on here.

I'm pro-HTTPS if this wasn't clear. Let's see what webwit says.

Same, and if donations are required to enable it (im not 100% on how one gets the proper certs) then I'd pony up.

I'd like to see SSL implemented as well.

Me too. I will donate for the cost if necessary

We have the money, just need to find some time. We need to move server sometime this year, that might be a good opportunity.

Good to know.

webwit wrote: ↑We have the money, just need to find some time. We need to move server sometime this year, that might be a good opportunity.

Now after the server move, how about enabling HTTPS? What's the status?

Just wait for free HTTPS certificates to come up, no need to rush. My data exchanged with DT isn't really secret anyway.

Sure, Deskthority data doesn't demand the highest security, but I'm mainly interested in integrity. There are plenty of ISPs that tamper with your HTTP traffic, inserting ads for example.

I would feel a little better about all of the sales I do here with HTTPS enabled. I agree with the above points.

And not to forget it prevents session hijacking when on a public WiFi…

SSL! SSL! SSL! SSL!

Who's paying for the certificate?

The certificate costs...how much?

Hmm… Wikipedia flails its hands around in confusion:

Wikipedia wrote:Authoritatively signed certificates may be free[22][23] or cost between 8 USD[24] and 70 USD[25] per year (in 2012–2014).

I assumed they were in the region of hundreds to thousands per year, as with any effective toll on the internet. Anyway, I am not the one to implement stuff like this. My assigned rôle is more about coordinated grumbling, as you know.

Yes please. Isn't this the sort of thing club dues cover?

No, those are for the DT yacht. We'd need to bake cookies and hold a raffle for this one.

Muirium wrote:My assigned rôle is more about coordinated grumbling, as you know.

Which you have mastered.

SSL would be awesome, 2048 bit as a minimum i would say.

Muirium wrote: ↑Hmm… Wikipedia flails its hands around in confusion:

Wikipedia wrote:Authoritatively signed certificates may be free[22][23] or cost between 8 USD[24] and 70 USD[25] per year (in 2012–2014).

I assumed they were in the region of hundreds to thousands per year, as with any effective toll on the internet. Anyway, I am not the one to implement stuff like this. My assigned rôle is more about coordinated grumbling, as you know.

It depends what certificate options you choose and for how many subdomains, for example at Thawte one year ranges from € 99 to € 249. To see a domain with the green symbol in the browser bar costs more for example. At work we are using the cheapest one for the mail server, and I get permanent questions from users that the browser warns about a safety issue.

Madhias wrote: ↑

Muirium wrote: ↑Hmm… Wikipedia flails its hands around in confusion:

Wikipedia wrote:Authoritatively signed certificates may be free[22][23] or cost between 8 USD[24] and 70 USD[25] per year (in 2012–2014).

I assumed they were in the region of hundreds to thousands per year, as with any effective toll on the internet. Anyway, I am not the one to implement stuff like this. My assigned rôle is more about coordinated grumbling, as you know.

It depends what certificate options you choose and for how many subdomains, for example at Thawte one year ranges from € 99 to € 249. To see a domain with the green symbol in the browser bar costs more for example. At work we are using the cheapest one for the mail server, and I get permanent questions from users that the browser warns about a safety issue.

Our certificate expired at work, and I can't get the powers that be to listen about how neurotic that makes some users.

So, you guys are arguing in favour of bogging the site down with an awkward layer of TSA style security theatre that will wreck our experience on just the kind of vintage hardware we're into (I often visit on my PowerBook and very frequently on the iPad 1), that gives our sever something else to chew on with every page served (far as my limited technical understanding on encryption suggests) *and* that we have the honour of paying for on a routine basis, beholden to douchey troll firms that can name their price, who clearly do so with nonsense that trips up many users with browser warnings on lower cost certs?

Yeah, sounds great. We need all that! How did we ever survive until now!

Yeh its annoying , we use self signed for our open directory , but i am the only one who can tell apple configuration profiles are awesome for that .

On slowing stuff down. It will slow things down a little , but security is important.

Mind you, it won't be long before the web starts getting deprecated if HTTPS isn't being used, by Chrome and Firefox.

And by "deprecated", I mean that most likely JavaScript will end up disabled entirely, which will degrade the experience for the vast majority of users.

And, between StartCom (although they charge for revocation) and Let's Encrypt, it can be free.

And, I wouldn't take OS X before 10.10.4 (the only supported version, as there's at least one WONTFIX'd critical security vulnerability in OS X 10.9) - or any unsupported *nix - on the public Internet, at this time. And, isn't the iPad 1 stuck at an old unsupported iOS, too? So, that counts as an unsupported OS X too. 9.2.2 would actually be a safer bet online - even if it has no security model to speak of, it's not vulnerable to actual existing threats.