This bbs now uses https exclusively

brain0 · 2010-07-16 09:13:02

Good morning,

I just switched bbs.archlinux.org to use only https. http users are redirected automatically to https, so the transition should be without trouble. There is a catch though:

1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based
vhosts to work. All clients that are not SNI-capable will be redirected to www instead.
2) wget doesn't like wildcard certificates. That means you need to use --no-check-certificate with wget.
3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.

Let me know if there are any problems.

brain0 · 2010-07-16 09:27:35

brain0 wrote:

1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based
vhosts to work. All clients that are not SNI-capable will be redirected to www instead.

Pierre says I was wrong. The behaviour of Apache apparently contradicts the documentation, and name-based vhosts with a wildcard certificate work despite the lack of SNI. Even better.

karol · 2010-07-16 09:31:36

Now bbs says I haven't read many links - they're blue. I needed to click 20 times to get 'Show new posts since last visit' into the purple so I can see any new / unvisited topics easily.
Not a big deal.

litemotiv · 2010-07-16 09:41:24

nice, i really prefer reading those package signing threads over https

fsckd · 2010-07-16 09:53:18

Excellent. Now if only some of the browsers worked correctly with SSL. CURL reports no problems which is a good thing.

dcc24 · 2010-07-16 10:24:05

Uhm, this might sound kinda weird but... why?

Besides the login page, exactly why do we need ssl on the bbs?

brain0 · 2010-07-16 10:29:57

dcc24 wrote:

Uhm, this might sound kinda weird but... why?
Besides the login page, exactly why do we need ssl on the bbs?

Your cookie that is used for authentication after login might be intercepted and used by a third party - and afaik, the login is not bound to an IP address by default.

Furthermore, it is much less complicated this way.

Pierre · 2010-07-16 10:33:50

The question is the other way round: Why do you want to send unencrypted data over the internet for everyone to see and get data that might have been altered by third parties?

fsckd · 2010-07-16 10:35:52

Pierre wrote:

The question is the other way round: Why do you want to send unencrypted data over the internet for everyone to see and get data that might have been altered by third parties?

Information wants to be freeeeeeeeeeeeeee!

jocheem67 · 2010-07-16 10:37:47

Minefield doesn't trust the certificate, exception added...

dcc24 · 2010-07-16 10:39:56

Pierre wrote:

The question is the other way round: Why do you want to send unencrypted data over the internet for everyone to see and get data that might have been altered by third parties?

Seriously? With this mentality anything and everything on the Internet should go through SSL. Are you really defending this?

karol · 2010-07-16 10:43:58

> With this mentality anything and everything on the Internet should go through SSL. Are you really defending this?
When you download some files it should be enough to check some hard-to-crack checksums.
SSL for things like internet forum is fine with me.

Pierre · 2010-07-16 10:44:10

@jocheem67: every browser in our repos knows about this cert

@dcc24: Yes, I am serious. Everything should be encrypted. The internet is simply not a trusted network.

Awebb · 2010-07-16 10:50:17

brain0 wrote:

3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.

This is what lead me here to find this thread.

When I surf to http://bbs.archlinux.org/, Opera will show me a certificate warning while beeing redirected to the https. When using https directly, it won't give me the warning.

Nice to see this issue wasn't anything to worry about but just a sign of progress.

METZGERR · 2010-07-16 11:16:25

me too. I always receive a certificate warning (chromium).

kinda annoying, think you can fix that?

Pierre · 2010-07-16 11:20:53

chromium works fine. Are you sure you are using Arch and chromium from extra?

wonder · 2010-07-16 11:21:02

METZGERR wrote:

me too. I always receive a certificate warning (chromium).
kinda annoying, think you can fix that?

chromium from extra or the crap downloaded from google's servers?

jocheem67 wrote:

Minefield doesn't trust the certificate, exception added...

that's already built or compiled against system libs?

Last edited by wonder (2010-07-16 11:21:20)

Skripka · 2010-07-16 11:26:39

Pierre wrote:

@jocheem67: every browser in our repos knows about this cert
@dcc24: Yes, I am serious. Everything should be encrypted. The internet is simply not a trusted network.

Maybe, but why would anyone want to steal my login credentials to a linux bulletin board? It has to be the most worthless piece of digital info I have. Or are you thinking of things like IP # etc?

Has there been an active security problem we haven't been alerted to....or are we linux users just getting more paranoid? The timing is strange, given the redesign of the website etc. Was this on the burner for a while, or what? I'm curious what the reason is for the sudden switch after so many years of HTTP.

Last edited by Skripka (2010-07-16 11:28:00)

ras0ir · 2010-07-16 11:27:48

Great news

METZGERR · 2010-07-16 11:37:58

wonder wrote:

METZGERR wrote:
me too. I always receive a certificate warning (chromium).
kinda annoying, think you can fix that?
chromium from extra or the crap downloaded from google's servers?

the error occurse on ubuntu AND from arch repos.

Last edited by METZGERR (2010-07-16 11:38:24)

karol · 2010-07-16 11:47:04

I have chromium from extra - no warnings, no problems.

Pierre · 2010-07-16 11:47:20

Please specify the error and how to reproduce it. Chromium is just working fine here.

wonder · 2010-07-16 11:50:26

METZGERR wrote:

wonder wrote:
METZGERR wrote:
me too. I always receive a certificate warning (chromium).
kinda annoying, think you can fix that?
chromium from extra or the crap downloaded from google's servers?
the error occurse on ubuntu AND from arch repos.

we warned about browsers on other operating systems/distribution. now lets settle the chromium one.

pacman -Qs chromium.

if it has other name is your problem not ours, google-chrome, chromium-browser-bin or whatever variant from aur is not supported

Last edited by wonder (2010-07-16 11:51:36)

lustikus · 2010-07-16 12:18:32

my chromium 5.0.375.99 doesn't like the certificate either:

Pierre · 2010-07-16 12:24:11

If you are not using arch or one of our packages you have to install the cacert root certs for yourself.

Arch Linux

#1 2010-07-16 09:13:02

This bbs now uses https exclusively

#2 2010-07-16 09:27:35

Re: This bbs now uses https exclusively

#3 2010-07-16 09:31:36

Re: This bbs now uses https exclusively

#4 2010-07-16 09:41:24

Re: This bbs now uses https exclusively

#5 2010-07-16 09:53:18

Re: This bbs now uses https exclusively

#6 2010-07-16 10:24:05

Re: This bbs now uses https exclusively

#7 2010-07-16 10:29:57

Re: This bbs now uses https exclusively

#8 2010-07-16 10:33:50

Re: This bbs now uses https exclusively

#9 2010-07-16 10:35:52

Re: This bbs now uses https exclusively

#10 2010-07-16 10:37:47

Re: This bbs now uses https exclusively

#11 2010-07-16 10:39:56

Re: This bbs now uses https exclusively

#12 2010-07-16 10:43:58

Re: This bbs now uses https exclusively

#13 2010-07-16 10:44:10

Re: This bbs now uses https exclusively

#14 2010-07-16 10:50:17

Re: This bbs now uses https exclusively

#15 2010-07-16 11:16:25

Re: This bbs now uses https exclusively

#16 2010-07-16 11:20:53

Re: This bbs now uses https exclusively

#17 2010-07-16 11:21:02

Re: This bbs now uses https exclusively

#18 2010-07-16 11:26:39

Re: This bbs now uses https exclusively

#19 2010-07-16 11:27:48

Re: This bbs now uses https exclusively

#20 2010-07-16 11:37:58

Re: This bbs now uses https exclusively

#21 2010-07-16 11:47:04

Re: This bbs now uses https exclusively

#22 2010-07-16 11:47:20

Re: This bbs now uses https exclusively

#23 2010-07-16 11:50:26

Re: This bbs now uses https exclusively

#24 2010-07-16 12:18:32

Re: This bbs now uses https exclusively

#25 2010-07-16 12:24:11

Re: This bbs now uses https exclusively

Board footer