HTTPS support on forums - is it permanent?
HTTPS support on forums - is it permanent?
title says it all. This would be really nice if so, then I won't have to worry any more about what I'm connected to when I log in (right?).
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a2
Re: HTTPS support on forums - is it permanent?
I haven't heard anything, but I notice that the certificate is from StartCom, the same as secure.informaction.com. I'm going to guess that it's staying .
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0
Re: HTTPS support on forums - is it permanent?
Now this is interesting. The Perspectives addon indicates that the certificate has been visible at forums.informaction.com:443 for over a month. I guess it was enabled a while ago, except everyone was still using the HTTP version. And now that gets redirected.
However, someone must have been using the HTTPS version - and also using Perspectives - in order for the Perspectives notaries to have that history. I'm going to suppose that that someone is Giorgio.
However, someone must have been using the HTTPS version - and also using Perspectives - in order for the Perspectives notaries to have that history. I'm going to suppose that that someone is Giorgio.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Re: HTTPS support on forums - is it permanent?
Yay finally, SSL all the things! ssllabs.com currently down, can't test it that way but I am sure the score won't be worst.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: HTTPS support on forums - is it permanent?
Yes, I was the one using it to be sure everything kept working as expected and noticed by Perspective, and yes SSL is here to stay.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Re: HTTPS support on forums - is it permanent?
Sounds good .
SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.
And I guess we should have realised it was here to stay, because the server is using HSTS with a long duration .
$Thanks, Giorgio!
SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.
And I guess we should have realised it was here to stay, because the server is using HSTS with a long duration .
$Thanks, Giorgio!
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Re: HTTPS support on forums - is it permanent?
Thank you so much for this enhancement Giorgio. This is awesome.
Only question now is, should I now change my password? I'm not sure whether the fact passwords I've sent over plain HTTP (on the network I've been logging in from) haven't been abused yet is good enough reason for me not to worry about it...
How old would the browser have to be to use a vulnerable cipher? IOW, what is the minimum Gecko version that wouldn't use vulnerable ciphers with a site like this in default configuration?
Only question now is, should I now change my password? I'm not sure whether the fact passwords I've sent over plain HTTP (on the network I've been logging in from) haven't been abused yet is good enough reason for me not to worry about it...
not all of us always use the most up-to-date browsersThrawn wrote:SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.
How old would the browser have to be to use a vulnerable cipher? IOW, what is the minimum Gecko version that wouldn't use vulnerable ciphers with a site like this in default configuration?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a2
Re: HTTPS support on forums - is it permanent?
But a MITM could downgrade to it, that's why it's counted as an issue of the server.Thrawn wrote:but modern Firefox won't use those ciphers anyway AFAICT.
Ah also with HSTS, nice.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Re: HTTPS support on forums - is it permanent?
Nope, it can't. Firefox doesn't support those weak ciphers. Any attempt to downgrade to them would fail.dhouwn wrote:But a MITM could downgrade to it, that's why it's counted as an issue of the server.
Now, if someone uses Internet Explorer 5.0 to access these forums, then yeah, they may be vulnerable. But for those of us living in 2014, all is well.
@barbaz I don't know exactly how old Gecko would have to be to use 40-bit ciphers, but the current crop of allowed cipher suites is way above that.
ETA: This post from 2007 suggests that 40-bit export ciphers were offered in Firefox 1.5, but not 2.0.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0
Re: HTTPS support on forums - is it permanent?
Oh, I thought you meant RC4 in general, totally forgot about the export ciphers.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Re: HTTPS support on forums - is it permanent?
There's a new downgrade attack, POODLE, that makes SSL3 risky.
Of course, most of the people who log in here use NoScript, which would protect them from POODLE (because it needs JavaScript to work), but it's probably best to drop SSL3 if possible. Even Firefox 3.6.28 supports TLS 1.0 if I'm not mistaken, so this shouldn't break compatibility for supported clients.
Of course, most of the people who log in here use NoScript, which would protect them from POODLE (because it needs JavaScript to work), but it's probably best to drop SSL3 if possible. Even Firefox 3.6.28 supports TLS 1.0 if I'm not mistaken, so this shouldn't break compatibility for supported clients.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Re: HTTPS support on forums - is it permanent?
Therefore it's best to disable support for it on the client's side: https://support.mozilla.org/en-US/questions/1025663 or https://addons.mozilla.org/firefox/addo ... n-control/.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Re: HTTPS support on forums - is it permanent?
Oh come on.
It is Mozilla who put out an extension to change a Pref (after I'm sure removed a GUI for the option to begin with - or at least never kept it current so that an end user would have something other then about:config to work with).
(And I had thought SSL was "deprecated" some time ago now?)
It is Mozilla who put out an extension to change a Pref (after I'm sure removed a GUI for the option to begin with - or at least never kept it current so that an end user would have something other then about:config to work with).
(And I had thought SSL was "deprecated" some time ago now?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30