DEFCON Forums supports SSL

Re: DEFCON Forums supports SSL

1) Yes.
2) Yes.
3) Yes, although Goatse is probably too cruel.
4) I'll leave that to the DT and the NOC crew.

Re: DEFCON Forums supports SSL

It sucks to lose the compression functionality with it working so well, but I think the idea is to promote security over efficiency.. this would be a must to make it happen and work well.

I vote for either Chris, noid, or skroo to think of a good saying.. they're exceptional at those.

May want to make this easily modifiable so that we can change it / append it as we find out more details closer to con.. unless DT already knows this info for sure?


Really should have read this thread more .. I missed a lot of details when I originally skimmed it. DTs detecto-script idea is a great one and could be done by:

1) default forums page loads .. (not liking the splash page part so much :/)
2) insert javascript at the beginning/before page load (may end up as kludge.. bleh)
3) javascript attempts to load https://funkytown/test.gif ... 1x1 pixel
- succeed immediately redirects to https://forum.defcon.org
- fail ignores error and continues loading http forum entry

This requires javascript support (unless there are apache tricks I'm not on top of) ...otherwise its a shot in the dark discovering their client-side ability to connect to https; avoiding unnecessary re-directs is good, not all browsers like them, including my phone.

Re: DEFCON Forums supports SSL


Ok. We have DT you and Thorn in agreement over making the RSS feed match https-> https (links) as well as the dynamic re-write of all http://[A-Za-z0-9]*.defcon.org links to https://\1.defcon.org and the other way around depending on how the user connects.

I've scheduled time for this: 10 minutes ago.

We are now live with compression disabled, a and dynamic rewrite of links for all defcon.org domain host links from http to https when browsing as https and dynamic rewrite of all https to http for defcon.org links when connecting as http.

Summary: Items 1 and 2 are live right now. Compression disabled.

Feedback Welcome. We are in the testing stage.

Yes. Their writing skills are as clever as most of my posts are long. :-)

Yes. This will take more time. I should be able to make this work based on a netmask specification and overloading of an error-code with access restrictions and redirection. Once in place, we'd only need to alter a file (without service restart) to specify the range of IP addresses that should only access forums with https.

This is not live. I've got other things I need to do today, and this is low priority, since we have several months before con.

You want to do this? Such code can be included in the forum header, so as to load on each page. An alternative would be a splash page with auto-redirect and short delay.

By having this take place in the forum-space, env vars to detect a logged-in user could be included, so as to not force guests (and search engines) to use https.

Left to do:
Add support to include that image with that nasty-mean-cruel-informative message to http users letting them know https is available, while letting https users know they are using https.

Add support for auto-redirect to https from http connections based on netmask connection ranges. (If we want this to work, we will need to know the public range of IP that unroutable NAT-ed IP will appear as to the public. By making this easy to change, I could change this from con, allowing it to remain a secret until it is needed.)

Re: DEFCON Forums supports SSL

Yup, got it covered .. but will keep it at a low priority as well .. hopefully within the next couple weeks as a target. Need to find a bigger flame thrower to increase candle burning efficiency.

well.. and for the extra effort up front, it allows for easy/quick access should the subnet change ... either on-site, for future defcons, or in the event we find other reasons to enforce by origination..

Re: DEFCON Forums supports SSL

Ja.

I just added the code I was working on last year to the live forums.

For now, as a demo, I've altered the "DEF CON" banner image.
When you are in https, it looks like it did before.
When you are in http, there is this ugly block of white to the right of it with black font that reads:
You're using http?
Try https.
http=(session hijack,
stolen credentials,
and session spying)

Yeah. Code recycling. I am a big fan of doing Defcon work before or after con, but not *at* con.

Re: DEFCON Forums supports SSL

OUTSTANDING!! I for one am very appreciative.

Re: DEFCON Forums supports SSL

You're welcome. :-)

On the topic of the custom banner for ssl vs. non-ssl, I hope that people don't rely on this as a way to determine if they are logged in with ssl or not.

It would be simple enough to participate in certain networks and provide a MiM attack to peer clients using http sessions and then substitute the ssl-version banner for the non-ssl version.

I guess, a good metaphor would be to equate it to the 'Oil Light' in many cars-- just because it's not lit up, doesn't mean everything is fine. (heh heh)

If you notice any bugs, or problems with the latest demo/test, please report them here.

Feedback still welcome.

Thanks!

Re: DEFCON Forums supports SSL

hmm.. very nice. Only idea I'd throw out as a highly optional 'coolness factor' might be to make it a 'Click here to go HTTPS' link/graphic .. then have it link to the same URL but https.

For example, converge clicks on a link from a german evil hacker site that tells wonderous tales of ales that surpass all others. I click: http ://forum.defcon.org/showthread.php?t=6726&page=2, and see the image inviting me to use SSL instead because I'm otherwise lame. My mouse clicks and I'm off to the front page of the forums?

I know.. its a silly thing when you can travel 50 pixels higher and nail an 's' into the URL .. I still cringe at the vertical whitespace wasted by the logo's location ;)

--edit: gah! the forums keep rewriting my example URL. Looks like it works swimmingly.

Re: DEFCON Forums supports SSL

Trivial to add this. The question is, where, and how? (How in the sense of integration with the forums, not a coding question.)

I am not a fan of mods to the actual files used by the forums, as that creates complexity during upgrades, and complexity means greater risk for security holes, accidents, and problems.

The best place might be a template addition. I'll check into this and add research to my to-do list, and give you some possible choices.

Heh. I'm a pixel, but I am not higher or lower. Some day, I will be a hacker, and then the world will fear me! (heh-heh, hrm. Uhhh Yeah! I AM COT-HOLIO!)

Heh heh. Speaking of which, I need to fix an exception for the CP, since loaded settings will convert http:// to https:// risking a saved default from http:// to https:// and all of the problems associated with that.

Re: DEFCON Forums supports SSL

I am a pixel, but am losing brightness. Doh!

CP issues have been fixed.
New workaround to allow for a session switch https>http and http>https is available.
For now, until we can find a better place that converge likes, I've got a link at the top called "Switch Session Encryption"
This link is designed to remember where you were, so that when you are switched from http to https or https to http, you are eventually brought back to the forum page you were viewing previously.

For now, if you click this while in http, you get a redirection page that META refresh-es you to use http, with a link to use if your browser does not support META refresh based redirection.

If you click on it from an https session, you get an ugly page with a red background, a warning about what you are doing, and NO refresh based in META; you have to choose one of th resulting links which will take you to http or https and the page you were viewing.

So converge, where do you want it? It would be easy enough to make the "DEF CON" banner image a link to the switch tool.

We can locate the switch script lnk in several places. Where would you like to see it?
(Other people can make suggestions here too.)

Ok. 80% done. Rest is cosmetic.

Re: DEFCON Forums supports SSL

I like the "TRY" https. It screams "No guarantees." Guess you know us too well.

How about adding "Login from your .gov domain to see a special forum just for you!"

:-)

Re: DEFCON Forums supports SSL

Don't forget .mil

Re: DEFCON Forums supports SSL

Is anyone one else getting the thread notification and PM notification emails pointing to the http and not https?

Re: DEFCON Forums supports SSL

Good catch.

Everyone does. The forums allow us to specify a default URL and that is used for all communications in E-Mail about thread notices, and account resets like passwords.

Now that we have two-way substitution (one for http consistency and another for https consistency) we can look into resetting the default forum URL from http://forum.defcon.org/ to https://forum.defcon.org.

Converge: what do you think? You want to do this? (if you are too busy, I can do it for you.)
There may be some fallout if/when we do this that we don't expect, but almost everything on the forums should work just as it does, except email notices.

Re: DEFCON Forums supports SSL

... diff -u? attaaack.. of the killer rewrite!

Thinking before doing.