https certificates?

feedback, comments and suggestions pertaining to the *. forums
User avatar
pau1ie
Posts: 327
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

https certificates?

Postby pau1ie » Tue Mar 28, 2017 9:28 am

It worries me a little that this website doesn't have a https certificate. This leaves users at risk of session hijacking and possibly password sniffing when they are on wifi hotspots e.g. at meetups.

Have you considered using Let's Encrypt? I set it up on my own website. It is free. Once you get it working, it requires no intervention. There is a cron job which checks if you need a new certificate periodically and updates it automatically if you do.

I found the install script broke my configuration, but this was many months ago so it might be fixed by now. I think it may have been confused because I had already configured https for a purchased certificate. Anyway, it was quite easy to recover and make the changes manually. The automatic update works fine though.
I'm working on http://bbcmicro.co.uk

User avatar
danielj
Posts: 5367
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Tue Mar 28, 2017 9:37 am

I'd hope that no one used a password on here that they used on anything important (as it's just a forum). HTTPS did cost money but I'll have a look at what you've suggested there, it looks interesting!

d.

User avatar
1024MAK
Posts: 6799
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...

Re: https certificates?

Postby 1024MAK » Tue Mar 28, 2017 11:47 am

World of Spectrum forums changed to https not long ago.
Worth looking into me thinks.

Mark
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

Prime
Posts: 2347
Joined: Sun May 31, 2009 11:52 pm

Re: https certificates?

Postby Prime » Tue Mar 28, 2017 12:56 pm

danielj wrote:I'd hope that no one used a password on here that they used on anything important (as it's just a forum). HTTPS did cost money but I'll have a look at what you've suggested there, it looks interesting!

Self signed certificates would work if web browsers didn't try and scare you into thinking that it automatically means the site has been hacked.

Cheers.

Phill.

User avatar
roland
Posts: 2808
Joined: Thu Aug 29, 2013 8:29 pm
Location: Born (NL)
Contact:

Re: https certificates?

Postby roland » Tue Mar 28, 2017 1:15 pm

If setting up the Let's Encrypt certificates on this platform is too much work, I'm willing to donate a Comodo PositiveSSL certificate for three years.
256K + 6502 Inside
MAN WOMAN :shock:

User avatar
sbadger
Posts: 233
Joined: Mon Mar 25, 2013 1:12 pm
Location: Farnham, Surrey

Re: https certificates?

Postby sbadger » Fri Apr 07, 2017 8:48 am

Just pointing out, lets encrypt might not be the best choice right at the moment. There is a fair chance they could face recovation of trusted root CA in some browers/OSs

https://slashdot.org/story/17/03/25/2222246/over-14k-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites
A3020| A3000x3| BBCBx3 | Electrn | Masterx3 |RiscPC| RPix3
A600 | C64 bbin x2|C64C | Toastrack |QL | XB360&1X |GB |GBC |GBA |GBASP | DS | 3DS XL x2| MD | MS
Atari 7600 | PS1-2-3-4| PSP |Vita |SNES |GC |N64 |Wii & U |Switch |JammaCab |Sony PVMx2

User avatar
BigEd
Posts: 1500
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: https certificates?

Postby BigEd » Fri Apr 07, 2017 10:20 am

Sounds faintly likely that that news story is promoted by a business which is threatened by Let's Encrypt. It's not at all obvious that Let's Encrypt did anything wrong: it's their job to issue certs to orgs which own domain names, not their job to control which domain names orgs own. (EV certs are a different case, they demand higher standards, but they are not part of this story.)

User avatar
pau1ie
Posts: 327
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Fri Apr 07, 2017 5:53 pm

sbadger wrote:There is a fair chance they could face recovation of trusted root CA in some browers/OSs

I can't see any suggestion of that in the story linked to from the slashdot article.
I'm working on http://bbcmicro.co.uk

User avatar
paulv
Posts: 3606
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

Re: https certificates?

Postby paulv » Fri Apr 07, 2017 8:13 pm

I have several clients that have tried the Let's Encrypt route and all but one has gone back to a more traditional certificate because they've found that many browsers simply aren't happy with the Let's Encrypt certs.

I'd be quite happy to chip in to an SSL certificate fund if there was such a thing. These days Comodo certs aren't that expensive for 2 and 3 year time spans.

This brings me onto another related question. Has it ever been considered that a "donate" link is put on the site somewhere in order to allow members to donate funds for the explicit use of hosting and upkeep of the site?

I used to be able to contribute more of my time to the forums and if I could manage it, I still would but these days, contributing to the community in other ways is more practical for me.

Paul

User avatar
sweh
Posts: 1847
Joined: Sat Mar 10, 2012 12:05 pm
Location: New York, New York
Contact:

Re: https certificates?

Postby sweh » Sat Apr 08, 2017 12:36 pm

There are no requirements on CAs that issue DV (domain verified) certificates to prevent phishing certs. LetsEncrypt are fully compliant with the CA/B Forum standards. I haven't heard anything about the major browsers planning on untrusting LE.

FWIW, https://www.sweharris.org/post/2017-03- ... nsparency/ explains why I think the CAs _can't_ solve this problem (typosquatting) and sheer size of the attack surface (paypal seems an obvious one, but what about the gazillion of banks and shopping sites?).

I'm not the only security person to think this way; eg Scott Helme (he's a recognised name in the industry) https://scotthelme.co.uk/lets-encrypt-a ... ey-should/

To solve it at the CA level would mean, effectively, that DV certs would need to go away and every cert become an EV (Extended Validation) cert costing many $$$. Over 50% of all traffic is now encrypted ( https://www.troyhunt.com/https-adoption ... ing-point/ ).

The solution needs to be at the browser level where the UI lives; stop using the word "secure" for SSL sites, because the certificate is NOT a proof of entity of the person/company behind the site.

FWIW, most "LE certs are not trusted" issues are due to misconfiguration on the server (eg not including the chaining cert). You can test the server configuration at https://www.ssllabs.com/ssltest/ (I get an A+ for my site; https://www.sweharris.org/post/2016-10-16-ssl-score/ )

LE certs are cross-signed by "DST Root CA X3" which is in most browsers, these days. Some older java systems (java 6!) don't have the cert. Full details at https://community.letsencrypt.org/t/whi ... crypt/4394
Rgds
Stephen

User avatar
pau1ie
Posts: 327
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Sat Apr 08, 2017 6:20 pm

I use lets encrypt for my family's owncloud installation. We have not noticed any browser that doesn't trust it by default, though I haven't searched extensively. We use it from home and work on several OSes including mobile devices. If you look at the sponsors, they are actually sponsored by at least two browser developers - Chrome and Mozilla, and a number of hosting companies. Also big names like Facebook and Cisco.

For me the big plus of lets encrypt was the automated renewal. Buying a cert is a rather manual process with a hard end date and Murphy dictates it will occur when you are busy for some reason. Lets encrypt I don't have to worry about, the certificate has been changed about three times since I went to them, and I didn't have to do a thing. I wouldn't have even noticed if I hadn't checked the expiration date periodically. I realise people might assume that since it is free you get what you pay for, but I really think it is superior to other options for this reason.

Like paulv I am grateful to those who donate their time and money to keep these forums running. They bring me a lot of pleasure, and I think the role in preserving the history of British Computing can hardly be understated. Thank you!
I'm working on http://bbcmicro.co.uk

User avatar
paulv
Posts: 3606
Joined: Tue Jan 25, 2011 6:37 pm
Location: Leicestershire
Contact:

Re: https certificates?

Postby paulv » Sun Apr 09, 2017 8:56 am

I should qualify my statement by saying I've not had contact with Let's Encrypt certs for several months so browser support may well have been improved through addition of the CA to the accepted browser lists.

As a software developer, I encountered even more issues with Let's Encrypt users because of Java JVM's not having the CA certs installed in their keystore on production machines so when sites switch over to Let's Encrypt, the CA certs need to be loaded into the relevant keystores. On production machines where there are deployment cycles, this can take *weeks* with some organisations to get sorted because of their insistence on deploying any and all changes to a test site before going to a staging site and finally moving everything into production. Whilst I understand this process is necessary for thorough testing, I tend to think that adding a cert to a key store is one of those things that could be done without too much fuss directly in production environments.

Paul

User avatar
pau1ie
Posts: 327
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Sun Apr 09, 2017 9:04 pm

I had the same problem with the JVM not trusting a certificate issued by QuoVadis. I assume Oracle do a half hearted job with the JVM, and the administrators have to sort out the rest. This problem isn't limited to Let's Encrypt. My guess is that browsers are targeted at users who require hand holding, but JVM is targeted at administrators who know what they are doing.
I'm working on http://bbcmicro.co.uk

User avatar
tautology
Posts: 352
Joined: Wed Sep 01, 2010 2:26 pm

Re: https certificates?

Postby tautology » Mon Nov 27, 2017 8:58 am

+1 on this. As a person who works in the security industry; I recommend that every site is distributed over SSL where possible. SSL certificates are no longer stupidly expensive and can be obtain quite cheap, or even for free.

It should only take about 30 minutes of time to configure the site to use SSL as well.

User avatar
danielj
Posts: 5367
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Mon Nov 27, 2017 9:11 am

I'm on it - it's just a question of getting some time!

d.

User avatar
Lardo Boffin
Posts: 673
Joined: Thu Aug 06, 2015 6:47 am

Re: https certificates?

Postby Lardo Boffin » Mon Nov 27, 2017 9:31 am

+1 for the donate button.
BBC model B 32k issue 4, 16k sideways RAM, Watford 12 ROM board, Retroclinic Datacentre + HDD, matchbox co-proc, Viglen twin 40/80 5.25" discs, acorn cassette
BBC model B 32k issue 7, turboMMC, Opus Challenger 3 512k, Pi 3 coproc, Acorn 6502 coproc

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Mon Nov 27, 2017 3:34 pm

Let's Encrypt terrifies me. Although it's purporting to be fully trustworthy, in practice the only thing it protects against is control of a domain changing after the certificate has been issued. Certification is supposed to give a more sure proof of identity than that. I don't know whether or not they're about to lose their CA status, but they probably ought to.

A few years ago, I toyed with creating mendax.net, a CA that would sign literally anything you put under its nose. Yet again, life is very nearly imitating art. )-8

For what Let's Encrypt does, DNSSEC is strictly superior; here's hoping for more widespread deployment soon.

User avatar
flibble
Posts: 592
Joined: Tue Sep 22, 2009 10:29 am
Contact:

Re: https certificates?

Postby flibble » Mon Nov 27, 2017 3:42 pm

crj wrote:Let's Encrypt terrifies me. Although it's purporting to be fully trustworthy, in practice the only thing it protects against is control of a domain changing after the certificate has been issued. Certification is supposed to give a more sure proof of identity than that. I don't know whether or not they're about to lose their CA status, but they probably ought to.


You appear to have a misunderstanding of the levels of SSL certificates issued by all providers. Let's Encrypt only provides 'Domain Verified' certificates, these are also provided by all the commercial providers as their first tier of pricing. They are not going anywhere and no provider is going to lose their trusted status over providing them.

You have certainly visited hundreds of sites that are using Domain Verified certs from many providers without it causing an issue.

User avatar
danielj
Posts: 5367
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Mon Nov 27, 2017 4:21 pm

I only get worried if people start asking for valuable information. For the purposes of stardot, letsencrypt can verify the domain, let you know that you're talking to the right place, and ensure that comms between your computer and the server are encrypted. So long as you trust me to have generated the certificate :)

d.

User avatar
BigEd
Posts: 1500
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: https certificates?

Postby BigEd » Mon Nov 27, 2017 4:49 pm

AIUI LetsEncrypt offers short-life certificates so it's mandatory to set up some kind of automatic renewal - and that's where the complexity lies. Is that right?

(Another option is to serve your site through CloudFlare, who run an edge-caching service. There are several choices for how you sort out their link to your server, including unencrypted - which still has value, depending on your threat model. It prevents the library or coffee shop, or their other patrons, from snooping your session and causing mayhem.)

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Mon Nov 27, 2017 4:50 pm

flibble wrote:You appear to have a misunderstanding of the levels of SSL certificates issued by all providers. Let's Encrypt only provides 'Domain Verified' certificates, these are also provided by all the commercial providers as their first tier of pricing. They are not going anywhere and no provider is going to lose their trusted status over providing them.

No, I don't have a misunderstanding. Domain-verified certificates are next to worthless and shouldn't exist. Let's Encrypt is just the chief offender.

As I say, DNSSEC is strictly superior.

Commercial concerns have trumped legitimate security engineering. On the one hand, there's a race to the bottom to provide that little padlock symbol by any means necessary; on the other, it turned out that the reason the service of verifying an applicant's identity was valuable and expensive was that it was difficult.

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Mon Nov 27, 2017 4:51 pm

BigEd wrote:It prevents the library or coffee shop, or their other patrons, from snooping your session and causing mayhem.

If that's your only concern, use a VPN or Tor; no need for https at all.

User avatar
tautology
Posts: 352
Joined: Wed Sep 01, 2010 2:26 pm

Re: https certificates?

Postby tautology » Mon Nov 27, 2017 7:02 pm

crj wrote:
BigEd wrote:It prevents the library or coffee shop, or their other patrons, from snooping your session and causing mayhem.

If that's your only concern, use a VPN or Tor; no need for https at all.


That's fundamentally missing the whole point of encryption - using Tor or a VPN you're just allowing people at the Tor/VPN end point to view the traffic. Plus there's no integrity checking that the server is valid.

With HTTPS you have client to server encryption and you have a secondary check that the server has been issued a certificate by a valid authority, so the server you're talking to is the server that you intended to hit.

LetsEncrypt provides a route for the average person to get an encrypted site up and running for minimal cost. The only difference between LE and some of the largest companies (e.g. GoDaddy) is that GoDaddy charge and issue the certificate for longer.

User avatar
danielj
Posts: 5367
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Mon Nov 27, 2017 9:44 pm

OK - if you want to connect via https, you should now be able to - please let me know if you have any issues!

d.

philb
Posts: 118
Joined: Sat Aug 05, 2017 6:05 pm

Re: https certificates?

Postby philb » Mon Nov 27, 2017 10:07 pm

danielj wrote:OK - if you want to connect via https, you should now be able to - please let me know if you have any issues!


Yes. Rock! =D>

User avatar
BigEd
Posts: 1500
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: https certificates?

Postby BigEd » Mon Nov 27, 2017 10:12 pm

Works for me - excellent! Tried a few browsers and devices. (Links in emails are still plain http. I suppose you need to be sure, first, that they will work for everyone.)

paulb
Posts: 784
Joined: Mon Jan 20, 2014 9:02 pm

Re: https certificates?

Postby paulb » Mon Nov 27, 2017 10:15 pm

tautology wrote:That's fundamentally missing the whole point of encryption - using Tor or a VPN you're just allowing people at the Tor/VPN end point to view the traffic.


This really does need emphasising. Tor is largely intended to obscure the origin of traffic, not to protect that traffic from eavesdropping. And given the way that the traffic has to emerge from endpoints, it can even be a liability for unencrypted traffic. There was that case a while back of some security researcher having collected all sorts of interesting credentials from sniffing traffic at a Tor endpoint, and one rather got the impression that certain entities might not have liked the guy going public with his discoveries.

User avatar
danielj
Posts: 5367
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Mon Nov 27, 2017 10:23 pm

OK - I'm having some issues deciphering how this was previously configured to prevent access to certain directories. Just for now I'm disabling https until I can get that bit straightened out... It might be tomorrow, but basically it basically works...

d.

User avatar
tautology
Posts: 352
Joined: Wed Sep 01, 2010 2:26 pm

Re: https certificates?

Postby tautology » Mon Nov 27, 2017 11:41 pm

Cools thanks!

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Tue Nov 28, 2017 2:10 am

tautology wrote:That's fundamentally missing the whole point of encryption

There is no one "whole point" of encryption.

There are a whole bunch of threat models and, as I assume you're aware, it's dangerous to talk about "encrypted" as though it were some panacea, any encryption protecting against every threat.

using Tor or a VPN you're just allowing people at the Tor/VPN end point to view the traffic


Unless you personally exchange public keys with the site administrators, you've got to trust some intermediary. You cited the threat model of eavesdropping local to the client; I suggested a mitigation for that threat model, by instead trusting a VPN provider, or a series of randomly-chosen Tor exit nodes. If you trust the owners and patrons of your local coffee shop more then, well, don't use a VPN or Tor!

Plus there's no integrity checking that the server is valid.


Domain-validated certification provides integrity checking that's next to useless. The only protection it offers is that an attacker has to have demonstrated control over the domain from the perspective of the CA as well as the client; the man in the middle has to be a little closer to the server. The attacker doesn't even need to have current control over the domain from the CA's perspective - revocation is hazardously flaky in practice, so anyone who has ever compromised a server has an enduring ability to impersonate it.

Worse, once a browser accepts domain-validated certification, it's vulnerable to a security-downgrade attack because nothing prevents such certificates being issued for any domain by any CA.

DNSsec, by contrast, proves that the publisher of the DNS records has demonstrated to the registrar's satisfaction that they're the registrant. That puts security in the right place: the client doesn't need to know how lax or stringent the registrar's controls are, and the owners of important domains can use a value-added registrar with extra checks.

you have a secondary check that the server has been issued a certificate by a valid authority


This is the whole trusted-trustworthy dichotomy writ large. Your https security is only as strong as the least stringent integrity check performed by the most incompetent CA in your browser's list, and that list is now polluted with literally hundreds of entities we shouldn't be trusting.

Just because an authority is deemed valid, that doesn't mean it deserves the accolade.

LetsEncrypt provides a route for the average person to get an encrypted site up and running for minimal cost. The only difference between LE and some of the largest companies (e.g. GoDaddy) is that GoDaddy charge and issue the certificate for longer.


As a result, lots of users and web admins alike think their connection is safer than it really is. That's a dangerous misapprehension which is going to cause an ugly mess.

X.509 implementations have been getting shonkier and shonkier for decades. We may be about to put the nail in the coffin.


Return to “stardot.org.uk”

Who is online

Users browsing this forum: No registered users and 2 guests