Announcement

Collapse
No announcement yet.

DEFCON Forums supports SSL

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DEFCON Forums supports SSL

    The DC Forums now supports SSL encrypted connections. We have been testing this for some time, but I want to make a public announcement so everyone can start using it if they want to.

    I'd suggest using it to log in, if possible. Just access the forums as you would normally, just use "https://forum.defcon.org/"

    Thanks! If it doesn't work for you please let a moderator know and we will work on de-bugging it. The only problems that may arrise is if you are behind a firewall or proxy that breaks SSL.

    DT
    PGP Key: https://defcon.org/html/links/dtangent.html

  • #2
    Forums now have a "real" ssl cert!

    OK, I paid for a real cert for www.defcon.org and forum.defcon.org.

    This should stop your browsers from complaining about the self signed cert we were using in the past.

    Now I just need to decide if I will prevent ssl v.2 usa, and force the more secure ssl v.3 and tls v.1 standards when using the cert.

    Please start using them!

    DT
    PGP Key: https://defcon.org/html/links/dtangent.html

    Comment


    • #3
      Re: DEFCON Forums supports SSL

      Can't we have a script for redirecting all http traffic to https so even if I browse to http://www.defcon.org or http://www.defcon.org I would automatically be redirected to https://www.defcon.org or https://www.forum.defcon.org

      Comment


      • #4
        Re: DEFCON Forums supports SSL

        Originally posted by itsusama View Post
        Can't we have a script for redirecting all http traffic to https so even if I browse to http://www.defcon.org or http://www.defcon.org I would automatically be redirected to https://www.defcon.org or https://www.forum.defcon.org
        This would be trivial for us to add, but we'd need a good reason.

        It would also be possible to make sure all local links explicitly labeled as http://forum.defcon.org/ could be dynamically changed to https://forums.defcon.org/ or the other way around depending on how a user first connects. (This would force even user-included links that use absolute path with forum hostname and protocol, as part of their posts to get converted to the connecting web browser's protocol.)

        However, the dynamic re-coding of links on generation would probably cost us layer7 dynamic compression on rendering/generation due to when it happens in the chain of events.

        Reasons against:
        Guests don't need https, and https does add CPU and memory load when compared to http.
        Search engines load as guest.
        Not all search engines will be as happy with https as they are with http.
        There may be locations that deny users access to service ports that use encryption (443 for example) due to policy to monitor network use.
        If a user chooses to browse as http, they can keep http and if they browse as https, they keep https. (Let the user decide how they want to browse the forums and pics.)

        We have cookie-assoiciation set to follow protocol type. This means, if you are authenticated as https, then your cookie and creds work on https. Attempts to view items under http will not have you show up as "logged in" (unless you previously logged in under http too.)

        Cookie association is also shared with https on pics if auth was on https on forums. And auth maps http on forums with http on pics.

        All forum-software-specific links should generate https links for https sessions. (One exception is links to forum items included by people in posts that use an absolute URL reference including the host.domain.tld.

        Understand, that the above does not mean that we will always keep both http and https as user-selectable. Mods/Admins can change their minds, and sometimes do. Nearly any policy we have can be changed if there are sufficiently good reasons for change.

        I accept counter arguments and other ideas. If you have reasons to support your idea, please provide them. (I've changed my mind before when new information was provided.)

        Also, know that I'm no longer primary forum admin, so converge and DT may have other ideas about this, and his decision on what directions the forum should take with respect to this.

        One more thing: in the past, the mods have discussed making the forums force http->https during the week of the con at the cost of compression, but we have not actually done this yet. This may happen over the week of con this year, and then revert back after con is over. I've also considered a custom setup that only does this substitution from the public netblock of IP that the unroutable NAT-ed net block is translated to use, while letting the rest of the world see the forums exactly as they are now.

        Summary:
        It is 100% possible to do this, and would only take me 15 minutes, if that, to add this feature. Converge, DT and the rest of the admins/mods would have to decide if that is what we want. Support your idea with reasons in favor of it, and we'll see where this discussion goes.
        Last edited by TheCotMan; April 23, 2007, 02:49.

        Comment


        • #5
          Re: DEFCON Forums supports SSL

          Cot,

          As far as CPU usage, that isn't an issue, the firewall and forums box has lots of cpu power to spare. It would take up a bit mpore badwidth, but in principal I like the idea.

          The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more.

          One idea is to redesign the landing 'splash' page to to pop up in http, but then ask them or run some detect-o script to switch them to ssl if supported.
          PGP Key: https://defcon.org/html/links/dtangent.html

          Comment


          • #6
            Re: DEFCON Forums supports SSL

            Originally posted by Dark Tangent View Post
            The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more.
            True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!

            ?
            if it gets me nowhere, I'll go there proud; and I'm gonna go there free.

            Comment


            • #7
              Re: DEFCON Forums supports SSL

              Originally posted by converge View Post
              True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!

              ?
              I never said force them, just encourage them by making them away and it easy. So I agree with your post. That would be one easy way to get them using ssl.

              Another thing I have started doing is using https:// in all references to www and forum links. People are bright enough I think to manually downgrade to http:// if they fail to connect to the https.
              PGP Key: https://defcon.org/html/links/dtangent.html

              Comment


              • #8
                Re: DEFCON Forums supports SSL

                Originally posted by Dark Tangent View Post
                Another thing I have started doing is using https:// in all references to www and forum links.
                i do that, too... but that's more a function of me repeatedly forgetting how to insert direct thread and post URLs into my posts on the forums.
                "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                - Trent Reznor

                Comment


                • #9
                  Re: DEFCON Forums supports SSL

                  Anywhere I've got bookmarks I have them to the https:// site

                  You can never have too much crypto....

                  ...at least until you lose your key!
                  Never drink anything larger than your head!





                  Comment


                  • #10
                    Re: DEFCON Forums supports SSL

                    Originally posted by Dark Tangent View Post
                    As far as CPU usage, that isn't an issue, the firewall and forums box has lots of cpu power to spare. It would take up a bit mpore badwidth, but in principal I like the idea.
                    Ok. We can do it, and it sounds like you are in favor of the dynamic modification of all http://[.*].defcon.org/ -> https://[.*].defcon.org when served from the ssl space. This would fix any absolute URL in user posts from http://[.*].defcon.org to https://[.*].defcon.org at the cost of compression.

                    The more people browse from hot spots the more end to end crypto is importnat, if nothing esle then help with content privacy. People may just be lazy or ignorant of the fact that we support SSL, and we should encourage them to use it more.
                    There is risk to falling into the pit of protecting users from themselves.

                    One idea is to redesign the landing 'splash' page to to pop up in http, but then ask them or run some detect-o script to switch them to ssl if supported.
                    Splash-page is doable, but autodetection of ssl support might be more tricky. Not all browsers actually are what they claim to be on the GET. Obviously, we can't trust the user browser to be what they claim to be and make decisions based on this.

                    A simple default splashpage with static links to the ssl-enabled forums would be doable, just like the April Fools' Day jokes from this year and last year.

                    Originally posted by converge View Post
                    True, but there is something to be said for the folks cognizantly and purposefully browsing in HTTP. Tossing them all into the SSL or die pit .. doesnt seem very friendly. Maybe a big flashing warning banner for the opening page next to login that says ḦEY, YOU SHOULD BE USING SSL!
                    I wrote a script that included a reminder that SSL was available, and only displayed this to people using http. (This was going to be another dark joke, where people using non-ssl sessions would see a nice graphic image saying something like, "I'm using plaintext access to the forums! Please hack me!"

                    Never did go through with it, since I ran out of time. Obviously, this could work for us now if we want a reminder for http users. (Heck, it could even be a new "Defcon" banner image at the top in really ugly yellow, purple, and red with splash-paint, "INSECURE"

                    Originally posted by Dark Tangent View Post
                    I never said force them, just encourage them by making them away and it easy. So I agree with your post. That would be one easy way to get them using ssl.

                    Another thing I have started doing is using https:// in all references to www and forum links. People are bright enough I think to manually downgrade to http:// if they fail to connect to the https.
                    Originally posted by Deviant Ollam View Post
                    i do that, too... but that's more a function of me repeatedly forgetting how to insert direct thread and post URLs into my posts on the forums.
                    Yes. Shame on you! ;-)
                    It is [ forum = # ] linkname [ / forum ] to link to a forum number
                    It is [ post = # ] linkname [ / post ] to link to a specific post id
                    It is [ thread = # ] linkname [ / thread ] to link to a specific thread.
                    (Remove spaces and replace # with the ID of the think to be linked.)
                    Using these lets the forums automatically alter http to https or https to http depending on how the user is connected.

                    Originally posted by renderman View Post
                    Anywhere I've got bookmarks I have them to the https:// site

                    You can never have too much crypto....

                    ...at least until you lose your key!
                    Maybe we can give and revoke licenses to people for surfing on the web. If they do something stupid, we can revoke their license and take their "keys" ]:>

                    Ok then. All we need is a decision. What do we want? Sounds like a few competing solutions.
                    Step 1: Do we want this?
                    Step 2: If so, which solution or collection of solutions do we want

                    Comment


                    • #11
                      Re: DEFCON Forums supports SSL

                      Originally posted by Dark Tangent View Post
                      People are bright enough I think to manually downgrade to http:// if they fail to connect to the https.
                      That's a decent point to consider... now that you have me thinking about it more and I'm re-reading through the thread outside of work :/ ... it just seems like common sense. /me whacks head

                      The major annoyance that had popped in my mind is constantly manually modifying URLs that define http/https without proper re-write as TheCotMan mentioned .. the only difference is that the default would change. .. but the annoyance issue I'm thinking of is completely independent of this thread altogether and probably something that needs to be smacked with a script or stored proc to rip through the DB and modify URL tags referencing the forums to proper http/s rewritable format...
                      if it gets me nowhere, I'll go there proud; and I'm gonna go there free.

                      Comment


                      • #12
                        Re: DEFCON Forums supports SSL

                        Any thought of supporting HTTPS on the RSS? I use Sage and it reverts back to HTTP when I go to "New Post" when I manually sign in using HTTPS.
                        DaKahuna
                        ___________________
                        Will Hack for Bandwidth

                        Comment


                        • #13
                          Re: DEFCON Forums supports SSL

                          Originally Posted by [B]TheCotMan[/Bhttps://forum.defcon.org/showthread....6137#post86137
                          I wrote a script that included a reminder that SSL was available, and only displayed this to people using http. (This was going to be another dark joke, where people using non-ssl sessions would see a nice graphic image saying something like, "I'm using plaintext access to the forums! Please hack me!"
                          I like your approach CotMan, I think if something would encourage people to switch to ssl, it would definately be something just like this, nobody wants to feel like an idiot anyway.
                          There can be many solutions to this and I originally suggested that if a user enters http://defcon.org or http://forum.defcon.org redirect the user to https because I thought it would be easier to implement as most of the times people tend to land on the homepage, can anyone explain is it the case or not?

                          Comment


                          • #14
                            Re: DEFCON Forums supports SSL

                            Originally posted by DaKahuna View Post
                            Any thought of supporting HTTPS on the RSS? I use Sage and it reverts back to HTTP when I go to "New Post" when I manually sign in using HTTPS.
                            You mean forum rss feeds? That sounds like a job for Cot!
                            PGP Key: https://defcon.org/html/links/dtangent.html

                            Comment


                            • #15
                              Re: DEFCON Forums supports SSL

                              Originally posted by Dark Tangent View Post
                              You mean forum rss feeds? That sounds like a job for Cot!
                              Yes. I believe we can do this too, at the cost of dynamic compression.

                              So, what is the decision? Converge? DT? Chris?

                              1) Drop compression in favor of dynamic re-coding of links to match the connecting protocol type?
                              For example, if the user is connected with https:// make sure all links (evevn those in user posts) that reference http://[.*].defcon.org/change to https://[.*].defcon.org

                              2) Drop compression to ensure RSS Feed links that are generated in an https request for the RSS[1||2] or XML feed are generated to offer https to all defcon.org links?

                              3) Add support for an image at the top that checks to see if the user is non-guest, and then says, "P133z3 h@ck m3! (I'm not using https even though it is available.)" (Obviously, message can be different.)

                              4) Give me a range of public IP addresses that will be our presence while at defcon using the Defcon network from their non-routable NAT-ed addresses, so we can force those users to ONLY use https, guest or not.

                              Converge? DT? Chris? Other mods? Will assume "Don't care" with no response.

                              Let me know what is decided, and I can set a time to add it.

                              Comment

                              Working...
                              X