Enabling HTTPS?

andrewjoy

20 Jul 2015, 17:50

10.9 is not supported thats crazy!

User avatar
Muirium
µ

20 Jul 2015, 18:06

See what I mean? We're considering actual showstopper levels of service reduction in exchange for a hypothetical "security" improvement. Just like how taking off your belt and shoes at the airport prevents 9/11 after the fact. Except in our case there wasn't even a disaster to trigger the panic. Aren't unfalsifiable bogeymen arguments awesome!!

andrewjoy

20 Jul 2015, 19:37

i can understand that, would it be possibvle to have it as an option in the user menu and then everyone is happy.

I like somtimes to browse in a text mode browser so i would not like to lose that.


EDIT

And this is why look at the memory usage for chrome and that's with ONE tab open. Compared to even the graphical mode of links
Capture.JPG
Capture.JPG (477.35 KiB) Viewed 22129 times

EDIT2

and skype 72 fucking meg of ram whist its idle that's insane ! I know i have 8gb of ram but thats not the point

User avatar
webwit
Wild Duck

20 Jul 2015, 20:51

Maybe the club members can figure out which certificate to buy from which provider? Must be in Europe. One domain, no sub domains. Doesn't have to be the cheapest option, nor should it be too expensive.

User avatar
Muirium
µ

20 Jul 2015, 20:53

I suggest NULL. They're pretty cost effective at $0, all in.

User avatar
scottc

20 Jul 2015, 20:59

andrewjoy wrote: And this is why look at the memory usage for chrome and that's with ONE tab open. Compared to even the graphical mode of links
Links still looks like shit though. I'd have kept it in text mode! :P

User avatar
webwit
Wild Duck

20 Jul 2015, 21:01

Note that it will be harder to make it optional. The easy method is to simply rewrite everything on deskthority.net starting with http to https, which an Apache rewrite rule. I.e. pages, embedded images, links, everything.

User avatar
scottc

20 Jul 2015, 21:04

Why not just copy the same config to a HTTPS block listening on port 443? I haven't really written Apache configs in a while (I mostly just use Puppet these days) but it should definitely be possible.

Edit: Unless it's some sort of phpBB incompatibility (like not using // in their URLs) or some SEO thing that I don't know about.

User avatar
SL89

20 Jul 2015, 21:17

@Muirium, you have seemed extra cranky lately, is everything OK?

User avatar
Muirium
µ

20 Jul 2015, 21:29

Yeah. Everyone gets irritable in Scottish summer…
Spoiler:
Screen%20Shot%202015-07-20%20at%207.23.59%20pm.png
Screen%20Shot%202015-07-20%20at%207.23.59%20pm.png (109.63 KiB) Viewed 22075 times
Re: HTTPS, I dread the strings attached. The overwhelming support people were giving for going gung-ho on page 1 makes me uneasy indeed. I don't want even more forced upgrades just to be able to do the same things tomorrow as I do just fine today.

User avatar
webwit
Wild Duck

20 Jul 2015, 21:48

scottc wrote: Why not just copy the same config to a HTTPS block listening on port 443? I haven't really written Apache configs in a while (I mostly just use Puppet these days) but it should definitely be possible.
If I'm on https and someone posted a link earlier like this which I click on, or if I follow a http link from google, it shouldn't jump from https to http. The easiest way to solve these and other such issues is to simply rewrite everything to https. Otherwise I'd have to pass everything past a php router script, which checks stuff like your http(s) preference. I'd rather not fire up an extra php instance for each request.

If I'm correct the performance issues are of yesteryear. The clients were never a problem I think. The servers were a potential bottleneck (it has to handle encoded traffic with all clients) and the page load speed, as negotiating takes more time and more bandwidth is needed. The servers of today, and in particular our server, can handle it fine, it has plenty of spare ram and cpu capacity. The bandwidth is usually fine, most people have high speed connections. Negotiating times could be better as we don't have, for example, optimised images into css sprites or similar techniques, in other words there are plenty of requests in a single page load.

User avatar
SL89

20 Jul 2015, 21:52

Muirium wrote: Re: HTTPS, I dread the strings attached. The overwhelming support people were giving for going gung-ho on page 1 makes me uneasy indeed. I don't want even more forced upgrades just to be able to do the same things tomorrow as I do just fine today.
Ok so in your use case things are just dandy as is... But what about the rest of the club members, who's personal information / financial information and whatnot pass through the site? I know you are chairman and all but surely the voices of the club members, and users are in some way indicative of the desired changes. You seem to think there is some TSA level amount of bullshit or strings attached, but from where have you garnered that viewpoint? You would still be able to use http if you wanted to Mu, nobody would force you to switch to https, so you can continue to use your dated browsers with no strings attached?

User avatar
Muirium
µ

20 Jul 2015, 21:55

Look at the post before yours. Webwit is talking about a complete switch.

User avatar
SL89

20 Jul 2015, 21:58

He said it was the easier option, not the only one.

User avatar
Muirium
µ

20 Jul 2015, 22:04

Easy usually wins.

If HTTPS can be buried away as a purely optional, never going to get in your face unless you ask for it, per-user opt-in feature of the site, and we don't get ripped off with a dodgy certificate, then I've no objection. But that's quite a lot to ask! Even more to implement. And then we're still in some relationship with a certificate authority which can be bought by douchebags at any point, making things most unpleasant overnight. External dependencies are not to be taken lightly.

User avatar
SL89

20 Jul 2015, 22:06

Then I have no choice but to desist and defer to you.

User avatar
Muirium
µ

20 Jul 2015, 22:08

This is Webwit's call. I've no execute power that I'm aware of! Although I could really misuse that stuff if I did…

User avatar
webwit
Wild Duck

20 Jul 2015, 22:15

I'm eating pintxos in San Sabastian. Can't pick this up until back from holiday. This is a democratic club anyway. You guys bitch it out, start a club vote if necessary, and let me know.

User avatar
SL89

20 Jul 2015, 22:39

I am in no hurry to get it implemented. Idek who necro'd the thread anyway. Enjoy your vaca Webwit.

User avatar
scottc

20 Jul 2015, 22:48

SL89 wrote: I am in no hurry to get it implemented. Idek who necro'd the thread anyway. Enjoy your vaca Webwit.
I did, because I'm already very uneasy about doing transactions etc. over DT without HTTPS enabled. Not to mention logging in. Any concerns about HTTPS are ludicrous unless you're using IE6 on Windows XP.

We can pick it up after Webwit's back from holiday anyway. Didn't mean to interrupt!

User avatar
Muirium
µ

20 Jul 2015, 23:04

Uneasy? You're a regular. Hasn't put you off until now. What's different? All I'm hearing is people appealing to a nebulous concept of "security" in just the same way as politicians do when they want to ruin simple things and pin the blame on… right, "security".

Honest question: Have we ever seen a user account stolen? Or a single piece of private information?

I certainly have seen shitty HTTPS at large. Remember when that whole certificate root registrar (or insert the actual terminology) was hacked a few years back and a good part of the Internet broke, throwing up countless invalid certificate dialogs at millions of irritated users worldwide for months? Why did we miss out on that!

Edit: it was DigiNotar. Affected a huge swathe of stuff, as these certificate vendors routinely trade junk with each other. Dependencies all the eay down. Yuck!

Anyway, I'm not completely anti HTTPS. But I am vehemently against requiring it.

User avatar
SL89

20 Jul 2015, 23:18

So your argument is that because it hasn't happened, it won't happen?

edit: your not you're

User avatar
Muirium
µ

20 Jul 2015, 23:19

And yours is prove the unprovable. Yup!

User avatar
SL89

20 Jul 2015, 23:24

I'm not sure what I have to prove exactly, can you be specific?

I never gave a specific reason as to why I wanted it, if you go back and read anything that I've said.

User avatar
Muirium
µ

20 Jul 2015, 23:27

I'll just reiterate myself too: I'm fine with *optional* HTTPS for the site. Because I won't use it. And I'm certainly not implementing it either!

Anything mandatory though will get me swinging heavy objects about.

User avatar
SL89

20 Jul 2015, 23:33

OK... I'm not sure how that means I have to prove the unprovable... or answered my questions... so nevermind I guess?

I totally agree about the mandatory bit regardless. Nothing should be mandatory. But ultimately it's not up to us as individuals, it's up to the collective will.

User avatar
Muirium
µ

20 Jul 2015, 23:42

Yes. And collective will is the sum of everyone's outspokenness!

By the way, you've got the polarity wrong on what I meant by prove the unproveable. I mean you set me that challenge. How am I to prove that we'll never have user accounts stolen by moustache twiddling cyberterrorists or barbershop singers? My argument was that we're balancing a hypothetical risk against a known non-zero hassle which contains its own hypothetical risks along the line. And I don't think we're going to get anywhere chasing our tails on the issue. We agree on the vital part: opt in. Nuff said.

User avatar
webwit
Wild Duck

21 Jul 2015, 00:14

Opt-in is not an option I'm afraid. There are only two pills: on or off for everyone. Opt-in requires solving design issues such as default scenarios for users, guests, google, etc., user control panel modifications, and many modifications in the phpbb code or building some kind of router to handle two scenarios based on either reading out a cookie setting or user settings from the database. Considering the phpbb code base, it's error prone and there won't be an army of volunteers coming forward to do it. Basically we're not a web developing community, we're a keyboard community. We're not equipped for this kind of sophistication, we don't have a web development team ready to implement this. On or off for everybody is relatively simple however with two virtual hosts (on port 80 and 443) and a set of rewrite rules where an attempt to access one forwards to the other.

User avatar
Muirium
µ

21 Jul 2015, 00:19

Well, you know which side I'm on.

User avatar
chzel

21 Jul 2015, 01:03

Which side are you on boy?
Just kidding, you made your point clear enough!
I'm not too fond of full-on https either.

Just an idea, I don't know if it's feasible or if it has any point, but could we enable https on select pages (login, PM's) and not on the general area?
I'm pretty sure no-one shares private info out in the open, so securing just the login and PM's should be enough security-wise.

Post Reply

Return to “Deskthority talk”