HTTPS support on forums - is it permanent?

Discussion about the board itself, forums organization and site bugs.
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

HTTPS support on forums - is it permanent?

Post by barbaz »

title says it all. This would be really nice if so, then I won't have to worry any more about what I'm connected to when I log in (right?).
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a2
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS support on forums - is it permanent?

Post by Thrawn »

I haven't heard anything, but I notice that the certificate is from StartCom, the same as secure.informaction.com. I'm going to guess that it's staying :).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS support on forums - is it permanent?

Post by Thrawn »

Now this is interesting. The Perspectives addon indicates that the certificate has been visible at forums.informaction.com:443 for over a month. I guess it was enabled a while ago, except everyone was still using the HTTP version. And now that gets redirected.

However, someone must have been using the HTTPS version - and also using Perspectives - in order for the Perspectives notaries to have that history. I'm going to suppose that that someone is Giorgio.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: HTTPS support on forums - is it permanent?

Post by dhouwn »

Yay finally, SSL all the things! ssllabs.com currently down, can't test it that way but I am sure the score won't be worst. :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: HTTPS support on forums - is it permanent?

Post by Giorgio Maone »

Yes, I was the one using it to be sure everything kept working as expected and noticed by Perspective, and yes SSL is here to stay.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS support on forums - is it permanent?

Post by Thrawn »

Sounds good :).

SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.

And I guess we should have realised it was here to stay, because the server is using HSTS with a long duration :).

$Thanks, Giorgio!
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: HTTPS support on forums - is it permanent?

Post by barbaz »

Thank you so much for this enhancement Giorgio. This is awesome.

Only question now is, should I now change my password? I'm not sure whether the fact passwords I've sent over plain HTTP (on the network I've been logging in from) haven't been abused yet is good enough reason for me not to worry about it...
Thrawn wrote:SSLLabs gives only a C, which appears to be mostly because it allows weak cipher suites - but modern Firefox won't use those ciphers anyway AFAICT.
not all of us always use the most up-to-date browsers ;)
How old would the browser have to be to use a vulnerable cipher? IOW, what is the minimum Gecko version that wouldn't use vulnerable ciphers with a site like this in default configuration?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a2
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: HTTPS support on forums - is it permanent?

Post by dhouwn »

Thrawn wrote:but modern Firefox won't use those ciphers anyway AFAICT.
But a MITM could downgrade to it, that's why it's counted as an issue of the server.

Ah also with HSTS, nice.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS support on forums - is it permanent?

Post by Thrawn »

dhouwn wrote:But a MITM could downgrade to it, that's why it's counted as an issue of the server.
Nope, it can't. Firefox doesn't support those weak ciphers. Any attempt to downgrade to them would fail.

Now, if someone uses Internet Explorer 5.0 to access these forums, then yeah, they may be vulnerable. But for those of us living in 2014, all is well.

@barbaz I don't know exactly how old Gecko would have to be to use 40-bit ciphers, but the current crop of allowed cipher suites is way above that.

ETA: This post from 2007 suggests that 40-bit export ciphers were offered in Firefox 1.5, but not 2.0.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:30.0) Gecko/20100101 Firefox/30.0
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: HTTPS support on forums - is it permanent?

Post by dhouwn »

Oh, I thought you meant RC4 in general, totally forgot about the export ciphers.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS support on forums - is it permanent?

Post by Thrawn »

There's a new downgrade attack, POODLE, that makes SSL3 risky.

Of course, most of the people who log in here use NoScript, which would protect them from POODLE (because it needs JavaScript to work), but it's probably best to drop SSL3 if possible. Even Firefox 3.6.28 supports TLS 1.0 if I'm not mistaken, so this shouldn't break compatibility for supported clients.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: HTTPS support on forums - is it permanent?

Post by dhouwn »

Therefore it's best to disable support for it on the client's side: https://support.mozilla.org/en-US/questions/1025663 or https://addons.mozilla.org/firefox/addo ... n-control/.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: HTTPS support on forums - is it permanent?

Post by therube »

Oh come on.
It is Mozilla who put out an extension to change a Pref (after I'm sure removed a GUI for the option to begin with - or at least never kept it current so that an end user would have something other then about:config to work with).

(And I had thought SSL was "deprecated" some time ago now?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30
Post Reply