Page 1 of 1

HTTPS support on forums - is it permanent?

Posted: Wed Jul 02, 2014 9:37 pm
by barbaz
title says it all. This would be really nice if so, then I won't have to worry any more about what I'm connected to when I log in (right?).

Re: HTTPS support on forums - is it permanent?

Posted: Wed Jul 02, 2014 10:47 pm
by Thrawn
I haven't heard anything, but I notice that the certificate is from StartCom, the same as secure.informaction.com. I'm going to guess that it's staying :).

Re: HTTPS support on forums - is it permanent?

Posted: Thu Jul 03, 2014 1:25 am
by Thrawn
Now this is interesting. The Perspectives addon indicates that the certificate has been visible at forums.informaction.com:443 for over a month. I guess it was enabled a while ago, except everyone was still using the HTTP version. And now that gets redirected.

However, someone must have been using the HTTPS version - and also using Perspectives - in order for the Perspectives notaries to have that history. I'm going to suppose that that someone is Giorgio.

Re: HTTPS support on forums - is it permanent?

Posted: Thu Jul 03, 2014 2:37 pm
by dhouwn
Yay finally, SSL all the things! ssllabs.com currently down, can't test it that way but I am sure the score won't be worst. :)

Re: HTTPS support on forums - is it permanent?

Posted: Thu Jul 03, 2014 3:31 pm
by Giorgio Maone
Yes, I was the one using it to be sure everything kept working as expected and noticed by Perspective, and yes SSL is here to stay.

Re: HTTPS support on forums - is it permanent?

Posted: Thu Jul 03, 2014 10:42 pm
by Thrawn
Sounds good :).

SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.

And I guess we should have realised it was here to stay, because the server is using HSTS with a long duration :).

$Thanks, Giorgio!

Re: HTTPS support on forums - is it permanent?

Posted: Thu Jul 03, 2014 10:55 pm
by barbaz
Thank you so much for this enhancement Giorgio. This is awesome.

Only question now is, should I now change my password? I'm not sure whether the fact passwords I've sent over plain HTTP (on the network I've been logging in from) haven't been abused yet is good enough reason for me not to worry about it...
Thrawn wrote:SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.
not all of us always use the most up-to-date browsers ;)
How old would the browser have to be to use a vulnerable cipher? IOW, what is the minimum Gecko version that wouldn't use vulnerable ciphers with a site like this in default configuration?

Re: HTTPS support on forums - is it permanent?

Posted: Fri Jul 04, 2014 7:47 pm
by dhouwn
Thrawn wrote:but modern Firefox won't use those ciphers anyway AFAICT.
But a MITM could downgrade to it, that's why it's counted as an issue of the server.

Ah also with HSTS, nice.

Re: HTTPS support on forums - is it permanent?

Posted: Sat Jul 05, 2014 11:35 am
by Thrawn
dhouwn wrote:But a MITM could downgrade to it, that's why it's counted as an issue of the server.
Nope, it can't. Firefox doesn't support those weak ciphers. Any attempt to downgrade to them would fail.

Now, if someone uses Internet Explorer 5.0 to access these forums, then yeah, they may be vulnerable. But for those of us living in 2014, all is well.

@barbaz I don't know exactly how old Gecko would have to be to use 40-bit ciphers, but the current crop of allowed cipher suites is way above that.

ETA: This post from 2007 suggests that 40-bit export ciphers were offered in Firefox 1.5, but not 2.0.

Re: HTTPS support on forums - is it permanent?

Posted: Wed Jul 30, 2014 2:13 pm
by dhouwn
Oh, I thought you meant RC4 in general, totally forgot about the export ciphers.

Re: HTTPS support on forums - is it permanent?

Posted: Fri Oct 17, 2014 2:05 am
by Thrawn
There's a new downgrade attack, POODLE, that makes SSL3 risky.

Of course, most of the people who log in here use NoScript, which would protect them from POODLE (because it needs JavaScript to work), but it's probably best to drop SSL3 if possible. Even Firefox 3.6.28 supports TLS 1.0 if I'm not mistaken, so this shouldn't break compatibility for supported clients.

Re: HTTPS support on forums - is it permanent?

Posted: Fri Oct 17, 2014 9:19 pm
by dhouwn
Therefore it's best to disable support for it on the client's side: https://support.mozilla.org/en-US/questions/1025663 or https://addons.mozilla.org/firefox/addo ... n-control/.

Re: HTTPS support on forums - is it permanent?

Posted: Sat Oct 25, 2014 4:10 am
by therube
Oh come on.
It is Mozilla who put out an extension to change a Pref (after I'm sure removed a GUI for the option to begin with - or at least never kept it current so that an end user would have something other then about:config to work with).

(And I had thought SSL was "deprecated" some time ago now?)