The DC Forums now supports SSL encrypted connections. We have been testing this for some time, but I want to make a public announcement so everyone can start using it if they want to.

I'd suggest using it to log in, if possible. Just access the forums as you would normally, just use "http://forum.defcon.org/"

Thanks! If it doesn't work for you please let a moderator know and we will work on de-bugging it. The only problems that may arrise is if you are behind a firewall or proxy that breaks SSL.

DT

OK, I paid for a real cert for www.defcon.org and forum.defcon.org.

This should stop your browsers from complaining about the self signed cert we were using in the past.

Now I just need to decide if I will prevent ssl v.2 usa, and force the more secure ssl v.3 and tls v.1 standards when using the cert.

Please start using them!

DT

Can't we have a script for redirecting all http traffic to https so even if I browse to http://www.defcon.org or http://www.defcon.org I would automatically be redirected to http://www.defcon.org or http://www.forum.defcon.org

Can't we have a script for redirecting all http traffic to https so even if I browse to http://www.defcon.org or http://www.defcon.org I would automatically be redirected to http://www.defcon.org or http://www.forum.defcon.org

This would be trivial for us to add, but we'd need a good reason.

It would also be possible to make sure all local links explicitly labeled as http://forum.defcon.org/ could be dynamically changed to http://forums.defcon.org/ or the other way around depending on how a user first connects. (This would force even user-included links that use absolute path with forum hostname and protocol, as part of their posts to get converted to the connecting web browser's protocol.)

However, the dynamic re-coding of links on generation would probably cost us layer7 dynamic compression on rendering/generation due to when it happens in the chain of events.

Reasons against:
Guests don't need https, and https does add CPU and memory load when compared to http.
Search engines load as guest.
Not all search engines will be as happy with https as they are with http.
There may be locations that deny users access to service ports that use encryption (443 for example) due to policy to monitor network use.
If a user chooses to browse as http, they can keep http and if they browse as https, they keep https. (Let the user decide how they want to browse the forums and pics.)

We have cookie-assoiciation set to follow protocol type. This means, if you are authenticated as https, then your cookie and creds work on https. Attempts to view items under http will not have you show up as "logged in" (unless you previously logged in under http too.)

Cookie association is also shared with https on pics if auth was on https on forums. And auth maps http on forums with http on pics.

All forum-software-specific links should generate https links for https sessions. (One exception is links to forum items included by people in posts that use an absolute URL reference including the host.domain.tld.

Understand, that the above does not mean that we will always keep both http and https as user-selectable. Mods/Admins can change their minds, and sometimes do. Nearly any policy we have can be changed if there are sufficiently good reasons for change.

I accept counter arguments and other ideas. If you have reasons to support your idea, please provide them. (I've changed my mind before when new information was provided.)

Also, know that I'm no longer primary forum admin, so converge and DT may have other ideas about this, and his decision on what directions the forum should take with respect to this.

One more thing: in the past, the mods have discussed making the forums force http->https during the week of the con at the cost of compression, but we have not actually done this yet. This may happen over the week of con this year, and then revert back after con is over. I've also considered a custom setup that only does this substitution from the public netblock of IP that the unroutable NAT-ed net block is translated to use, while letting the rest of the world see the forums exactly as they are now.

Summary:
It is 100% possible to do this, and would only take me 15 minutes, if that, to add this feature. Converge, DT and the rest of the admins/mods would have to decide if that is what we want. Support your idea with reasons in favor of it, and we'll see where this discussion goes.

Cot,

As far as CPU usage, that isn't an issue, the firewall and forums box has lots of cpu power to spare. It would take up a bit mpore badwidth, but in principal I like the idea.

The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more.

One idea is to redesign the landing 'splash' page to to pop up in http, but then ask them or run some detect-o script to switch them to ssl if supported.

The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more. True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!

?

True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!

?

I never said force them, just encourage them by making them away and it easy. So I agree with your post. That would be one easy way to get them using ssl.

Another thing I have started doing is using https:// in all references to www and forum links. People are bright enough I think to manually downgrade to http:// if they fail to connect to the https.

Another thing I have started doing is using https:// in all references to www and forum links.i do that, too... but that's more a function of me repeatedly forgetting how to insert direct thread and post URLs into my posts on the forums. :wink:

Anywhere I've got bookmarks I have them to the https:// site

You can never have too much crypto....

...at least until you lose your key!

As far as CPU usage, that isn't an issue, the firewall and forums box has lots of cpu power to spare. It would take up a bit mpore badwidth, but in principal I like the idea.

Ok. We can do it, and it sounds like you are in favor of the dynamic modification of all http://[.*].defcon.org/ -> https://[.*].defcon.org when served from the ssl space. This would fix any absolute URL in user posts from http://[.*].defcon.org to https://[.*].defcon.org at the cost of compression.

The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more.

There is risk to falling into the pit of protecting users from themselves.

One idea is to redesign the landing 'splash' page to to pop up in http, but then ask them or run some detect-o script to switch them to ssl if supported.

Splash-page is doable, but autodetection of ssl support might be more tricky. Not all browsers actually are what they claim to be on the GET. Obviously, we can't trust the user browser to be what they claim to be and make decisions based on this.

A simple default splashpage with static links to the ssl-enabled forums would be doable, just like the April Fools' Day jokes from this year and last year.

True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!

I wrote a script that included a reminder that SSL was available, and only displayed this to people using http. (This was going to be another dark joke, where people using non-ssl sessions would see a nice graphic image saying something like, "I'm using plaintext access to the forums! Please hack me!"

Never did go through with it, since I ran out of time. Obviously, this could work for us now if we want a reminder for http users. (Heck, it could even be a new "Defcon" banner image at the top in really ugly yellow, purple, and red with splash-paint, "INSECURE"

I never said force them, just encourage them by making them away and it easy. So I agree with your post. That would be one easy way to get them using ssl.

Another thing I have started doing is using https:// in all references to www and forum links. People are bright enough I think to manually downgrade to http:// if they fail to connect to the https.

i do that, too... but that's more a function of me repeatedly forgetting how to insert direct thread and post URLs into my posts on the forums. :wink:
Yes. Shame on you! ;-)
It is [ forum = # ] linkname [ / forum ] to link to a forum number
It is [ post = # ] linkname [ / post ] to link to a specific post id
It is [ thread = # ] linkname [ / thread ] to link to a specific thread.
(Remove spaces and replace # with the ID of the think to be linked.)
Using these lets the forums automatically alter http to https or https to http depending on how the user is connected.

Anywhere I've got bookmarks I have them to the https:// site

You can never have too much crypto....

...at least until you lose your key!
Maybe we can give and revoke licenses to people for surfing on the web. If they do something stupid, we can revoke their license and take their "keys" ]:>

Ok then. All we need is a decision. What do we want? Sounds like a few competing solutions.
Step 1: Do we want this?
Step 2: If so, which solution or collection of solutions do we want

People are bright enough I think to manually downgrade to http:// if they fail to connect to the https. That's a decent point to consider... now that you have me thinking about it more and I'm re-reading through the thread outside of work :/ ... it just seems like common sense. /me whacks head

The major annoyance that had popped in my mind is constantly manually modifying URLs that define http/https without proper re-write as TheCotMan mentioned .. the only difference is that the default would change. .. but the annoyance issue I'm thinking of is completely independent of this thread altogether and probably something that needs to be smacked with a script or stored proc to rip through the DB and modify URL tags referencing the forums to proper http/s rewritable format...

Any thought of supporting HTTPS on the RSS? I use Sage and it reverts back to HTTP when I go to "New Post" when I manually sign in using HTTPS.

Originally Posted by [B]TheCotMan[/Bhttp://forum.defcon.org/showthread.php?p=86137#post86137
I wrote a script that included a reminder that SSL was available, and only displayed this to people using http. (This was going to be another dark joke, where people using non-ssl sessions would see a nice graphic image saying something like, "I'm using plaintext access to the forums! Please hack me!"

I like your approach CotMan, I think if something would encourage people to switch to ssl, it would definately be something just like this, nobody wants to feel like an idiot anyway.
There can be many solutions to this and I originally suggested that if a user enters http://defcon.org or http://forum.defcon.org redirect the user to https because I thought it would be easier to implement as most of the times people tend to land on the homepage, can anyone explain is it the case or not?

Any thought of supporting HTTPS on the RSS? I use Sage and it reverts back to HTTP when I go to "New Post" when I manually sign in using HTTPS.

You mean forum rss feeds? That sounds like a job for Cot!

You mean forum rss feeds? That sounds like a job for Cot!

Yes. I believe we can do this too, at the cost of dynamic compression.

So, what is the decision? Converge? DT? Chris?

1) Drop compression in favor of dynamic re-coding of links to match the connecting protocol type?
For example, if the user is connected with https:// make sure all links (evevn those in user posts) that reference http://[.*].defcon.org/change to https://[.*].defcon.org

2) Drop compression to ensure RSS Feed links that are generated in an https request for the RSS[1||2] or XML feed are generated to offer https to all defcon.org links?

3) Add support for an image at the top that checks to see if the user is non-guest, and then says, "P133z3 h@ck m3! (I'm not using https even though it is available.)" (Obviously, message can be different.)

4) Give me a range of public IP addresses that will be our presence while at defcon using the Defcon network from their non-routable NAT-ed addresses, so we can force those users to ONLY use https, guest or not.

Converge? DT? Chris? Other mods? Will assume "Don't care" with no response.

Let me know what is decided, and I can set a time to add it.

1) Yes.
2) Yes.
3) Yes, although Goatse is probably too cruel.
4) I'll leave that to the DT and the NOC crew. :wink:

1) Drop compression in favor of dynamic re-coding of links to match the connecting protocol type?2) Drop compression to ensure RSS Feed links It sucks to lose the compression functionality with it working so well, but I think the idea is to promote security over efficiency.. this would be a must to make it happen and work well.

3) Add support for an image at the top that checks to see if the user is non-guest I vote for either Chris, noid, or skroo to think of a good saying.. they're exceptional at those.

4) Give me a range of public IP addresses that will May want to make this easily modifiable so that we can change it / append it as we find out more details closer to con.. unless DT already knows this info for sure?


Really should have read this thread more .. I missed a lot of details when I originally skimmed it. DTs detecto-script idea is a great one and could be done by:

1) default forums page loads .. (not liking the splash page part so much :/)
2) insert javascript at the beginning/before page load (may end up as kludge.. bleh)
3) javascript attempts to load https://funkytown/test.gif ... 1x1 pixel
- succeed immediately redirects to http://forum.defcon.org
- fail ignores error and continues loading http forum entry

This requires javascript support (unless there are apache tricks I'm not on top of) ...otherwise its a shot in the dark discovering their client-side ability to connect to https; avoiding unnecessary re-directs is good, not all browsers like them, including my phone.

1) Yes.
2) Yes.
3) Yes, although Goatse is probably too cruel.
4) I'll leave that to the DT and the NOC crew. :wink:


It sucks to lose the compression functionality with it working so well, but I think the idea is to promote security over efficiency.. this would be a must to make it happen and work well.

Ok. We have DT you and Thorn in agreement over making the RSS feed match https-> https (links) as well as the dynamic re-write of all http://[A-Za-z0-9]*.defcon.org links to http://\1.defcon.org and the other way around depending on how the user connects.

I've scheduled time for this: 10 minutes ago.

We are now live with compression disabled, a and dynamic rewrite of links for all defcon.org domain host links from http to https when browsing as https and dynamic rewrite of all https to http for defcon.org links when connecting as http.

Summary: Items 1 and 2 are live right now. Compression disabled.

Feedback Welcome. We are in the testing stage.

I vote for either Chris, noid, or skroo to think of a good saying.. they're exceptional at those.
Yes. Their writing skills are as clever as most of my posts are long. :-)

May want to make this easily modifiable so that we can change it / append it as we find out more details closer to con.. unless DT already knows this info for sure?
Yes. This will take more time. I should be able to make this work based on a netmask specification and overloading of an error-code with access restrictions and redirection. Once in place, we'd only need to alter a file (without service restart) to specify the range of IP addresses that should only access forums with https.

This is not live. I've got other things I need to do today, and this is low priority, since we have several months before con.

Really should have read this thread more .. I missed a lot of details when I originally skimmed it. DTs detecto-script idea is a great one and could be done by:

1) default forums page loads .. (not liking the splash page part so much :/)
2) insert javascript at the beginning/before page load (may end up as kludge.. bleh)
3) javascript attempts to load https://funkytown/test.gif ... 1x1 pixel
- succeed immediately redirects to http://forum.defcon.org
- fail ignores error and continues loading http forum entry

This requires javascript support (unless there are apache tricks I'm not on top of) ...otherwise its a shot in the dark discovering their client-side ability to connect to https; avoiding unnecessary re-directs is good, not all browsers like them, including my phone.
You want to do this? Such code can be included in the forum header, so as to load on each page. An alternative would be a splash page with auto-redirect and short delay.

By having this take place in the forum-space, env vars to detect a logged-in user could be included, so as to not force guests (and search engines) to use https.

Left to do:
Add support to include that image with that nasty-mean-cruel-informative message to http users letting them know https is available, while letting https users know they are using https.

Add support for auto-redirect to https from http connections based on netmask connection ranges. (If we want this to work, we will need to know the public range of IP that unroutable NAT-ed IP will appear as to the public. By making this easy to change, I could change this from con, allowing it to remain a secret until it is needed.)

You want to do this? Such code can be included Yup, got it covered .. but will keep it at a low priority as well .. hopefully within the next couple weeks as a target. Need to find a bigger flame thrower to increase candle burning efficiency.

...to the public. By making this easy to change, I could change this from con, allowing it to remain a secret until it is needed.) well.. and for the extra effort up front, it allows for easy/quick access should the subnet change ... either on-site, for future defcons, or in the event we find other reasons to enforce by origination..

Yup, got it covered .. but will keep it at a low priority as well .. hopefully within the next couple weeks as a target. Need to find a bigger flame thrower to increase candle burning efficiency.
Ja.

I just added the code I was working on last year to the live forums.

For now, as a demo, I've altered the "DEF CON" banner image.
When you are in https, it looks like it did before.
When you are in http, there is this ugly block of white to the right of it with black font that reads:
You're using http?
Try https.
http=(session hijack,
stolen credentials,
and session spying)

well.. and for the extra effort up front, it allows for easy/quick access should the subnet change ... either on-site, for future defcons, or in the event we find other reasons to enforce by origination..
Yeah. Code recycling. I am a big fan of doing Defcon work before or after con, but not *at* con.

Ja.

I just added the code I was working on last year to the live forums.

For now, as a demo, I've altered the "DEF CON" banner image.
When you are in https, it looks like it did before.
When you are in http, there is this ugly block of white to the right of it with black font that reads:
You're using http?
Try https.
http=(session hijack,
stolen credentials,
and session spying)


Yeah. Code recycling. I am a big fan of doing Defcon work before or after con, but not *at* con.

OUTSTANDING!! I for one am very appreciative.

OUTSTANDING!! I for one am very appreciative.

You're welcome. :-)

On the topic of the custom banner for ssl vs. non-ssl, I hope that people don't rely on this as a way to determine if they are logged in with ssl or not.

It would be simple enough to participate in certain networks and provide a MiM attack to peer clients using http sessions and then substitute the ssl-version banner for the non-ssl version.

I guess, a good metaphor would be to equate it to the 'Oil Light' in many cars-- just because it's not lit up, doesn't mean everything is fine. (heh heh)

If you notice any bugs, or problems with the latest demo/test, please report them here.

Feedback still welcome.

Thanks!

Feedback still welcome.

hmm.. very nice. Only idea I'd throw out as a highly optional 'coolness factor' might be to make it a 'Click here to go HTTPS' link/graphic .. then have it link to the same URL but https.

For example, converge clicks on a link from a german evil hacker site that tells wonderous tales of ales that surpass all others. I click: http ://forum.defcon.org/showthread.php?t=6726&page=2, and see the image inviting me to use SSL instead because I'm otherwise lame. My mouse clicks and I'm off to the front page of the forums?

I know.. its a silly thing when you can travel 50 pixels higher and nail an 's' into the URL .. I still cringe at the vertical whitespace wasted by the logo's location ;)

--edit: gah! the forums keep rewriting my example URL. Looks like it works swimmingly.

hmm.. very nice. Only idea I'd throw out as a highly optional 'coolness factor' might be to make it a 'Click here to go HTTPS' link/graphic .. then have it link to the same URL but https.

For example, converge clicks on a link from a german evil hacker site that tells wonderous tales of ales that surpass all others. I click: http ://forum.defcon.org/showthread.php?t=6726&page=2, and see the image inviting me to use SSL instead because I'm otherwise lame. My mouse clicks and I'm off to the front page of the forums?
Trivial to add this. The question is, where, and how? (How in the sense of integration with the forums, not a coding question.)

I am not a fan of mods to the actual files used by the forums, as that creates complexity during upgrades, and complexity means greater risk for security holes, accidents, and problems.

The best place might be a template addition. I'll check into this and add research to my to-do list, and give you some possible choices.

I know.. its a silly thing when you can travel 50 pixels higher and nail an 's' into the URL .. I still cringe at the vertical whitespace wasted by the logo's location ;)
Heh. I'm a pixel, but I am not higher or lower. Some day, I will be a hacker, and then the world will fear me! (heh-heh, hrm. Uhhh Yeah! I AM COT-HOLIO!)

--edit: gah! the forums keep rewriting my example URL. Looks like it works swimmingly.
Heh heh. Speaking of which, I need to fix an exception for the CP, since loaded settings will convert http:// to https:// risking a saved default from http:// to https:// and all of the problems associated with that.

Heh. I'm a pixel, but I am not higher or lower. Some day, I will be a hacker, and then the world will fear me! (heh-heh, hrm. Uhhh Yeah! I AM COT-HOLIO!)
I am a pixel, but am losing brightness. Doh!

CP issues have been fixed.
New workaround to allow for a session switch https>http and http>https is available.
For now, until we can find a better place that converge likes, I've got a link at the top called "Switch Session Encryption"
This link is designed to remember where you were, so that when you are switched from http to https or https to http, you are eventually brought back to the forum page you were viewing previously.

For now, if you click this while in http, you get a redirection page that META refresh-es you to use http, with a link to use if your browser does not support META refresh based redirection.

If you click on it from an https session, you get an ugly page with a red background, a warning about what you are doing, and NO refresh based in META; you have to choose one of th resulting links which will take you to http or https and the page you were viewing.

So converge, where do you want it? It would be easy enough to make the "DEF CON" banner image a link to the switch tool.

We can locate the switch script lnk in several places. Where would you like to see it?
(Other people can make suggestions here too.)

hmm.. very nice. Only idea I'd throw out as a highly optional 'coolness factor' might be to make it a 'Click here to go HTTPS' link/graphic .. then have it link to the same URL but https.
Ok. 80% done. Rest is cosmetic.

I like the "TRY" https. It screams "No guarantees." Guess you know us too well.

How about adding "Login from your .gov domain to see a special forum just for you!"

:-)

I like the "TRY" https. It screams "No guarantees." Guess you know us too well.

How about adding "Login from your .gov domain to see a special forum just for you!"

:-)

Don't forget .mil :wink:

Is anyone one else getting the thread notification and PM notification emails pointing to the http and not https?

Is anyone one else getting the thread notification and PM notification emails pointing to the http and not https?

Good catch.

Everyone does. The forums allow us to specify a default URL and that is used for all communications in E-Mail about thread notices, and account resets like passwords.

Now that we have two-way substitution (one for http consistency and another for https consistency) we can look into resetting the default forum URL from http://forum.defcon.org/ to http://forum.defcon.org.

Converge: what do you think? You want to do this? (if you are too busy, I can do it for you.)
There may be some fallout if/when we do this that we don't expect, but almost everything on the forums should work just as it does, except email notices.

we can look into resetting the default forum URL from http://forum.defcon.org/ to http://forum.defcon.org ... diff -u? attaaack.. of the killer rewrite!

Converge: what do you think? You want to do this? (if you are too busy, I can do it for you.) Thinking before doing.

... diff -u? attaaack.. of the killer rewrite!
Heh heh. No need to patch code. :-)
Thinking before doing.
We visit the admincp, and change the default url from http to https
Done.

Well, not quite done. Next, we look for bugs related to that change. May not be any. The dynamic rewrite code I added before, may iron out any bugs that we might have otherwise had.

Well, not quite done. Next, we look for bugs related to that change. May not be any. The dynamic rewrite code I added before, may iron out any bugs that we might have otherwise had. Just made the change, looking for bugs. Thusfar standard http appears to be in tact.

Email Validation, Welcome email, and auto-protmotion email (when users can post replies, or new threads, etc.) have had their text altered to include https links first, followed by http links for links to rules, policies, validation of email address and new forum account.

I can verify that notice of a new PM offers links as https.

Email notices of followup to threads a user is subscribed to receive updates should also work.

Ok. What else?

Looks even better now. I use Sage with Firefox and now all the pages are coming up HTTPS without me having to change.

Thanks guys! Catch me at the Forum Meet this year and I'll buy you both a beer!

Left to do:
Add support to include that image with that nasty-mean-cruel-informative message to http users letting them know https is available, while letting https users know they are using https.
I spoke with converge about this. We'll use the defcon image/banner with altered text as a link to change encryption.

Expect this to be finished today-- probably in the next hour.

Add support for auto-redirect to https from http connections based on netmask connection ranges. (If we want this to work, we will need to know the public range of IP that unroutable NAT-ed IP will appear as to the public. By making this easy to change, I could change this from con, allowing it to remain a secret until it is needed.)
Yeah.... Done. We don't even need to restart the web server to make these changes.

We can now specify a network/subnet including 0.0.0.0/0 to make everyone go https if we really want to. (We don't want to. If we wanted to do this, a server-based forward for all http->https would make much more sense and work better.)

I'm going to hold off on the https test and autoredirect to force a move if the prot works ... want to see that all these changes take well.. we can keep an eye on stats related to folks using http vs https .. after a week or two of burning this, we can decide if we want to move forward with a forced initial https page if supported.

The single banner image has been split into 2 images. The original DEF CON banner is linked to the main index. The image to the right does what it says it does.