Forums now have a "real" ssl cert!

OK, I paid for a real cert for www.defcon.org and forum.defcon.org.

This should stop your browsers from complaining about the self signed cert we were using in the past.

Now I just need to decide if I will prevent ssl v.2 usa, and force the more secure ssl v.3 and tls v.1 standards when using the cert.

Please start using them!

DT

Re: DEFCON Forums supports SSL

Can't we have a script for redirecting all http traffic to https so even if I browse to http://www.defcon.org or http://www.defcon.org I would automatically be redirected to https://www.defcon.org or https://www.forum.defcon.org

Re: DEFCON Forums supports SSL

This would be trivial for us to add, but we'd need a good reason.

It would also be possible to make sure all local links explicitly labeled as http://forum.defcon.org/ could be dynamically changed to https://forums.defcon.org/ or the other way around depending on how a user first connects. (This would force even user-included links that use absolute path with forum hostname and protocol, as part of their posts to get converted to the connecting web browser's protocol.)

However, the dynamic re-coding of links on generation would probably cost us layer7 dynamic compression on rendering/generation due to when it happens in the chain of events.

Reasons against:
Guests don't need https, and https does add CPU and memory load when compared to http.
Search engines load as guest.
Not all search engines will be as happy with https as they are with http.
There may be locations that deny users access to service ports that use encryption (443 for example) due to policy to monitor network use.
If a user chooses to browse as http, they can keep http and if they browse as https, they keep https. (Let the user decide how they want to browse the forums and pics.)

We have cookie-assoiciation set to follow protocol type. This means, if you are authenticated as https, then your cookie and creds work on https. Attempts to view items under http will not have you show up as "logged in" (unless you previously logged in under http too.)

Cookie association is also shared with https on pics if auth was on https on forums. And auth maps http on forums with http on pics.

All forum-software-specific links should generate https links for https sessions. (One exception is links to forum items included by people in posts that use an absolute URL reference including the host.domain.tld.

Understand, that the above does not mean that we will always keep both http and https as user-selectable. Mods/Admins can change their minds, and sometimes do. Nearly any policy we have can be changed if there are sufficiently good reasons for change.

I accept counter arguments and other ideas. If you have reasons to support your idea, please provide them. (I've changed my mind before when new information was provided.)

Also, know that I'm no longer primary forum admin, so converge and DT may have other ideas about this, and his decision on what directions the forum should take with respect to this.

One more thing: in the past, the mods have discussed making the forums force http->https during the week of the con at the cost of compression, but we have not actually done this yet. This may happen over the week of con this year, and then revert back after con is over. I've also considered a custom setup that only does this substitution from the public netblock of IP that the unroutable NAT-ed net block is translated to use, while letting the rest of the world see the forums exactly as they are now.

Summary:
It is 100% possible to do this, and would only take me 15 minutes, if that, to add this feature. Converge, DT and the rest of the admins/mods would have to decide if that is what we want. Support your idea with reasons in favor of it, and we'll see where this discussion goes.

Re: DEFCON Forums supports SSL

Cot,

As far as CPU usage, that isn't an issue, the firewall and forums box has lots of cpu power to spare. It would take up a bit mpore badwidth, but in principal I like the idea.

The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more.

One idea is to redesign the landing 'splash' page to to pop up in http, but then ask them or run some detect-o script to switch them to ssl if supported.

Re: DEFCON Forums supports SSL

True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!

?

Re: DEFCON Forums supports SSL

I never said force them, just encourage them by making them away and it easy. So I agree with your post. That would be one easy way to get them using ssl.

Another thing I have started doing is using https:// in all references to www and forum links. People are bright enough I think to manually downgrade to http:// if they fail to connect to the https.

Re: DEFCON Forums supports SSL

i do that, too... but that's more a function of me repeatedly forgetting how to insert direct thread and post URLs into my posts on the forums.

Re: DEFCON Forums supports SSL

Anywhere I've got bookmarks I have them to the https:// site

You can never have too much crypto....

...at least until you lose your key!

Re: DEFCON Forums supports SSL

Ok. We can do it, and it sounds like you are in favor of the dynamic modification of all http://[.*].defcon.org/ -> https://[.*].defcon.org when served from the ssl space. This would fix any absolute URL in user posts from http://[.*].defcon.org to https://[.*].defcon.org at the cost of compression.

There is risk to falling into the pit of protecting users from themselves.

Splash-page is doable, but autodetection of ssl support might be more tricky. Not all browsers actually are what they claim to be on the GET. Obviously, we can't trust the user browser to be what they claim to be and make decisions based on this.

A simple default splashpage with static links to the ssl-enabled forums would be doable, just like the April Fools' Day jokes from this year and last year.

I wrote a script that included a reminder that SSL was available, and only displayed this to people using http. (This was going to be another dark joke, where people using non-ssl sessions would see a nice graphic image saying something like, "I'm using plaintext access to the forums! Please hack me!"

Never did go through with it, since I ran out of time. Obviously, this could work for us now if we want a reminder for http users. (Heck, it could even be a new "Defcon" banner image at the top in really ugly yellow, purple, and red with splash-paint, "INSECURE"

Yes. Shame on you! ;-)
It is [ forum = # ] linkname [ / forum ] to link to a forum number
It is [ post = # ] linkname [ / post ] to link to a specific post id
It is [ thread = # ] linkname [ / thread ] to link to a specific thread.
(Remove spaces and replace # with the ID of the think to be linked.)
Using these lets the forums automatically alter http to https or https to http depending on how the user is connected.

Maybe we can give and revoke licenses to people for surfing on the web. If they do something stupid, we can revoke their license and take their "keys" ]:>

Ok then. All we need is a decision. What do we want? Sounds like a few competing solutions.
Step 1: Do we want this?
Step 2: If so, which solution or collection of solutions do we want

Re: DEFCON Forums supports SSL

That's a decent point to consider... now that you have me thinking about it more and I'm re-reading through the thread outside of work :/ ... it just seems like common sense. /me whacks head

The major annoyance that had popped in my mind is constantly manually modifying URLs that define http/https without proper re-write as TheCotMan mentioned .. the only difference is that the default would change. .. but the annoyance issue I'm thinking of is completely independent of this thread altogether and probably something that needs to be smacked with a script or stored proc to rip through the DB and modify URL tags referencing the forums to proper http/s rewritable format...

Re: DEFCON Forums supports SSL

Any thought of supporting HTTPS on the RSS? I use Sage and it reverts back to HTTP when I go to "New Post" when I manually sign in using HTTPS.

Re: DEFCON Forums supports SSL

I like your approach CotMan, I think if something would encourage people to switch to ssl, it would definately be something just like this, nobody wants to feel like an idiot anyway.
There can be many solutions to this and I originally suggested that if a user enters http://defcon.org or http://forum.defcon.org redirect the user to https because I thought it would be easier to implement as most of the times people tend to land on the homepage, can anyone explain is it the case or not?

Re: DEFCON Forums supports SSL

You mean forum rss feeds? That sounds like a job for Cot!

Re: DEFCON Forums supports SSL

Yes. I believe we can do this too, at the cost of dynamic compression.

So, what is the decision? Converge? DT? Chris?

1) Drop compression in favor of dynamic re-coding of links to match the connecting protocol type?
For example, if the user is connected with https:// make sure all links (evevn those in user posts) that reference http://[.*].defcon.org/change to https://[.*].defcon.org

2) Drop compression to ensure RSS Feed links that are generated in an https request for the RSS[1||2] or XML feed are generated to offer https to all defcon.org links?

3) Add support for an image at the top that checks to see if the user is non-guest, and then says, "P133z3 h@ck m3! (I'm not using https even though it is available.)" (Obviously, message can be different.)

4) Give me a range of public IP addresses that will be our presence while at defcon using the Defcon network from their non-routable NAT-ed addresses, so we can force those users to ONLY use https, guest or not.

Converge? DT? Chris? Other mods? Will assume "Don't care" with no response.

Let me know what is decided, and I can set a time to add it.