You are not logged in.

#1 2010-07-16 09:13:02

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

This bbs now uses https exclusively

Good morning,

I just switched bbs.archlinux.org to use only https. http users are redirected automatically to https, so the transition should be without trouble. There is a catch though:

1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based
vhosts to work. All clients that are not SNI-capable will be redirected to www instead.
2) wget doesn't like wildcard certificates. That means you need to use --no-check-certificate with wget.
3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.

Let me know if there are any problems.

Offline

#2 2010-07-16 09:27:35

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: This bbs now uses https exclusively

brain0 wrote:

1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based
vhosts to work. All clients that are not SNI-capable will be redirected to www instead.

Pierre says I was wrong. The behaviour of Apache apparently contradicts the documentation, and name-based vhosts with a wildcard certificate work despite the lack of SNI. Even better.

Offline

#3 2010-07-16 09:31:36

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: This bbs now uses https exclusively

Now bbs says I haven't read many links - they're blue. I needed to click 20 times to get 'Show new posts since last visit' into the purple so I can see any new / unvisited topics easily.
Not a big deal.

Offline

#4 2010-07-16 09:41:24

litemotiv
Forum Fellow
Registered: 2008-08-01
Posts: 5,026

Re: This bbs now uses https exclusively

nice, i really prefer reading those package signing threads over https wink


ᶘ ᵒᴥᵒᶅ

Offline

#5 2010-07-16 09:53:18

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: This bbs now uses https exclusively

Excellent. Now if only some of the browsers worked correctly with SSL. CURL reports no problems which is a good thing. smile


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#6 2010-07-16 10:24:05

dcc24
Member
Registered: 2009-10-31
Posts: 732

Re: This bbs now uses https exclusively

Uhm, this might sound kinda weird but... why?

Besides the login page, exactly why do we need ssl on the bbs?


It is better to keep your mouth shut and be thought a fool than to open it and remove all doubt. (Mark Twain)

My AUR packages

Offline

#7 2010-07-16 10:29:57

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: This bbs now uses https exclusively

dcc24 wrote:

Uhm, this might sound kinda weird but... why?

Besides the login page, exactly why do we need ssl on the bbs?

Your cookie that is used for authentication after login might be intercepted and used by a third party - and afaik, the login is not bound to an IP address by default.

Furthermore, it is much less complicated this way.

Offline

#8 2010-07-16 10:33:50

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: This bbs now uses https exclusively

The question is the other way round: Why do you want to send unencrypted data over the internet for everyone to see and get data that might have been altered by third parties?

Offline

#9 2010-07-16 10:35:52

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: This bbs now uses https exclusively

Pierre wrote:

The question is the other way round: Why do you want to send unencrypted data over the internet for everyone to see and get data that might have been altered by third parties?

Information wants to be freeeeeeeeeeeeeee!


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#10 2010-07-16 10:37:47

jocheem67
Member
Registered: 2009-11-09
Posts: 243

Re: This bbs now uses https exclusively

Minefield doesn't trust the certificate, exception added...

Offline

#11 2010-07-16 10:39:56

dcc24
Member
Registered: 2009-10-31
Posts: 732

Re: This bbs now uses https exclusively

Pierre wrote:

The question is the other way round: Why do you want to send unencrypted data over the internet for everyone to see and get data that might have been altered by third parties?

Seriously? With this mentality anything and everything on the Internet should go through SSL. Are you really defending this?


It is better to keep your mouth shut and be thought a fool than to open it and remove all doubt. (Mark Twain)

My AUR packages

Offline

#12 2010-07-16 10:43:58

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: This bbs now uses https exclusively

> With this mentality anything and everything on the Internet should go through SSL. Are you really defending this?
When you download some files it should be enough to check some hard-to-crack checksums.
SSL for things like internet forum is fine with me.

Offline

#13 2010-07-16 10:44:10

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: This bbs now uses https exclusively

@jocheem67: every browser in our repos knows about this cert

@dcc24: Yes, I am serious. Everything should be encrypted. The internet is simply not a trusted network.

Offline

#14 2010-07-16 10:50:17

Awebb
Member
Registered: 2010-05-06
Posts: 6,268

Re: This bbs now uses https exclusively

brain0 wrote:

3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.

This is what lead me here to find this thread.

When I surf to http://bbs.archlinux.org/, Opera will show me a certificate warning  while beeing redirected to the https. When using https directly, it won't give me the warning.

Nice to see this issue wasn't anything to worry about but just a sign of progress.

Offline

#15 2010-07-16 11:16:25

METZGERR
Member
Registered: 2010-07-14
Posts: 28

Re: This bbs now uses https exclusively

me too. I always receive a certificate warning (chromium).

kinda annoying, think you can fix that?

Offline

#16 2010-07-16 11:20:53

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: This bbs now uses https exclusively

chromium works fine. Are you sure you are using Arch and chromium from extra?

Offline

#17 2010-07-16 11:21:02

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: This bbs now uses https exclusively

METZGERR wrote:

me too. I always receive a certificate warning (chromium).

kinda annoying, think you can fix that?

chromium from extra or the crap downloaded from google's servers?

jocheem67 wrote:

Minefield doesn't trust the certificate, exception added...

that's already built  or compiled against system libs?

Last edited by wonder (2010-07-16 11:21:20)


Give what you have. To someone, it may be better than you dare to think.

Offline

#18 2010-07-16 11:26:39

Skripka
Member
From: 2X1280X1024
Registered: 2009-02-19
Posts: 555

Re: This bbs now uses https exclusively

Pierre wrote:

@jocheem67: every browser in our repos knows about this cert

@dcc24: Yes, I am serious. Everything should be encrypted. The internet is simply not a trusted network.

Maybe, but why would anyone want to steal my login credentials to a linux bulletin board?  It has to be the most worthless piece of digital info I have.    Or are you thinking of things like IP # etc?

Has there been an active security problem we haven't been alerted to....or are we linux users just getting more paranoid?  The timing is strange, given the redesign of the website etc.  Was this on the burner for a while, or what?  I'm curious what the reason is for the sudden switch after so many years of HTTP.

Last edited by Skripka (2010-07-16 11:28:00)

Offline

#19 2010-07-16 11:27:48

ras0ir
Member
From: Ankara/Turkey
Registered: 2008-06-20
Posts: 65
Website

Re: This bbs now uses https exclusively

Great news smile

Offline

#20 2010-07-16 11:37:58

METZGERR
Member
Registered: 2010-07-14
Posts: 28

Re: This bbs now uses https exclusively

wonder wrote:
METZGERR wrote:

me too. I always receive a certificate warning (chromium).

kinda annoying, think you can fix that?

chromium from extra or the crap downloaded from google's servers?

the error occurse on ubuntu AND from arch repos.

Last edited by METZGERR (2010-07-16 11:38:24)

Offline

#21 2010-07-16 11:47:04

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: This bbs now uses https exclusively

I have chromium from extra - no warnings, no problems.

Offline

#22 2010-07-16 11:47:20

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: This bbs now uses https exclusively

Please specify the error and how to reproduce it. Chromium is just working fine here.

Offline

#23 2010-07-16 11:50:26

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: This bbs now uses https exclusively

METZGERR wrote:
wonder wrote:
METZGERR wrote:

me too. I always receive a certificate warning (chromium).

kinda annoying, think you can fix that?

chromium from extra or the crap downloaded from google's servers?

the error occurse on ubuntu AND from arch repos.

we warned about browsers on other operating systems/distribution. now lets settle the chromium one.

pacman -Qs chromium.

if it has other name is your problem not ours, google-chrome, chromium-browser-bin or whatever variant from aur is not supported

Last edited by wonder (2010-07-16 11:51:36)


Give what you have. To someone, it may be better than you dare to think.

Offline

#24 2010-07-16 12:18:32

lustikus
Member
Registered: 2009-11-10
Posts: 262

Re: This bbs now uses https exclusively

my chromium 5.0.375.99 doesn't like the certificate either:

chromium.png

Offline

#25 2010-07-16 12:24:11

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: This bbs now uses https exclusively

If you are not using arch or one of our packages you have to install the cacert root certs for yourself.

Offline

Board footer

Powered by FluxBB