pacman over http insecure?

Trilby · 2017-10-10 16:22:06

Leonid.I wrote:

I wish people ditch HTTPS as much as possible. Just because you have an 16 core monster in your CPU socket doesn't mean that you should waste it on pointless encryption just to feed users placebo.

I both very much agree and disagree here. One of my web servers is a single core system with minimal ram - when I switched from http to everything going over https I didn't see even the slightest detectable change in loadavg or any other resource use metric. Certainly it does use some computational resources, but it is quite trivial.

I also think that in general, traffic should just be moved to https by default as it frequently does provide a great security benefit, and it's more practical to just route everything over https than have to sort out specifically which transmissions may or may not actually benefit from encryption with the potential risk of accidental open-transmission of something that should have been encrypted.

That said, I completely agree on the placebo point, specifically in regards to the topic of this thread: while I think https as a general default for web traffic would be a good idea, any sense of security one gets from an https pacman mirror is just a placebo (I'd actually call it delusional, so placebo seems nicer).

Last edited by Trilby (2017-10-10 16:23:06)

ewaller · 2017-10-10 16:35:24

Leonid.I wrote:

[Just because you have an 16 core monster in your CPU socket doesn't mean that you should waste it on pointless encryption just to feed users placebo.

Nonsense. https://www.maxcdn.com/blog/ssl-performance-myth/
... and it is effective a preventing ISPs and other corporations from analyzing my communications to provide me with a "better experience"

I certainly agree with everything else you argued.

Edit: Sorry Trilby, I missed your post; it was on the next page.

Last edited by ewaller (2017-10-10 16:36:29)

Trilby · 2017-10-10 16:40:46

Ewaller, there's some irony in the link you posted: it has a faulty SSL certificate!

ewaller · 2017-10-10 16:44:45

Wow, my browser is not flagging that (Chromium 61.0.3163.79 ). Is it because of the recent spat of root certificates being dropped?
In any event, most modern systems have encryption extensions in the instruction set. Some even have hardware encryption.

Edit -- but we are drifting off topic.

Last edited by ewaller (2017-10-10 16:45:24)

Slithery · 2017-10-10 17:15:57

Still off-topic - Firefox didn't throw any warnings for me, but for some of the content qutebrowser warned that...

qutebrowser wrote:

The host name did not match any of the valid hosts for this certificate

Investigating further that proves to be correct, some of the adserver content comes from servers with incorrect certs. I believe that it's possible to up the security settings on Chrome(ium) to give the same warning behaviour.

Last edited by Slithery (2017-10-10 17:23:34)

ewaller · 2017-10-10 17:24:36

slithery wrote:

...some of the adserver content comes from servers with incorrect certs. I believe that it's possible to up the security settings on Chrome(ium) to give the same behaviour.

The other explanation would be my Draconian settings on the Disconnect extension

Leonid.I · 2017-10-11 10:13:26

@Trilby,
I disagree about about the computational costs. It depends on the number of clients (which I imagine is small for your personal site). Try scaling it up and see your loadavg... About switching everything to https... ok, except that you overly rely on the CA model.

@ewaller,
Why nonsense? Again, it depends on the number of http requests... I agree that https protects you from packet inspection/injection by the ISPs, but this argument only enforces my point about wastefulness of modern computing. FWIW, I don't care about ads because I use links2 for general browsing

Trilby · 2017-10-11 10:36:27

Leonid.I wrote:

It depends on the number of clients (which I imagine is small for your personal site)

I'm not just talking about a personal site* - how about one with thousands to tens of thousands of hits per day? But if you are just going to make assumptions there is nothing left to say especially when ewaller posted a link to information you apparently didn't read.

*also note it's fairly hard to remain civil in a discussion when one party seems to have made up their mind about a point and belittles/patronizes any counter argument.

Last edited by Trilby (2017-10-11 10:40:32)

mrunion · 2017-10-11 12:34:26

(at) Leonid.I: You do realize that non-https sites are basically being forced out, right? Chrome 63 (I think that version) will now start showing significant "this is insecure" warning on sites with form fields on them if they are not loaded via https. Google is cracking down on cert issuers as well. Further, security auditors are flagging non-https sites as failing the audit.

The world is changing and https is the only option going forward. It is computationally insignificant no matter what your scale. (And we have some sites that get 200K+ hits per day. Https has no discernible impact on the server load.)

Trilby · 2017-10-11 14:21:46

I think we're taking this thread quite far afield.

There are discussion-worthy points on whether or not https is computationaly costly, or whether it is inevitable, or whether it should be a default for all traffic, but none of these are particularly on target to addressing whether or not communicating with repo mirrors over http is a security risk.

ewaller · 2017-10-11 14:35:04

Leonid.I wrote:

@ewaller,
Why nonsense? Again, it depends on the number of http requests... I agree that https protects you from packet inspection/injection by the ISPs, but this argument only enforces my point about wastefulness of modern computing. FWIW, I don't care about ads because I use links2 for general browsing

My objection was to the hyperbole that implied a 16 core CPU is required. The actual performance hits are measured in single digit percentages.

eschwartz · 2017-10-11 22:18:54

Leonid.I wrote:

slithery wrote:
adesh wrote:
Well, two come to mind - caching and compression.
If you're using ssl then there's no reason to not also be using HTTP/2 which has in-built compression and automatic content pushing.
Sigh... I wish people ditch HTTPS as much as possible. Just because you have an 16 core monster in your CPU socket doesn't mean that you should waste it on pointless encryption just to feed users placebo.
The security of pacman transactions relies on public-key cryptography, not on p2p encryption. Besides, why do you trust CAs who warrant S in HTTPS?

Well, partially because pacman may rely on public-key cryptography, but as mentioned, the official Arch Linux repositories disable that for database downloads, which means that under certain conditions your only protection against attackers is whatever degree of protection you can get by encrypting the transport and hoping it isn't the mirror itself that gets compromised.

Which means that it is hardly a placebo.

Arch Linux

#26 2017-10-10 16:22:06

Re: pacman over http insecure?

#27 2017-10-10 16:35:24

Re: pacman over http insecure?

#28 2017-10-10 16:40:46

Re: pacman over http insecure?

#29 2017-10-10 16:44:45

Re: pacman over http insecure?

#30 2017-10-10 17:15:57

Re: pacman over http insecure?

#31 2017-10-10 17:24:36

Re: pacman over http insecure?

#32 2017-10-11 10:13:26

Re: pacman over http insecure?

#33 2017-10-11 10:36:27

Re: pacman over http insecure?

#34 2017-10-11 12:34:26

Re: pacman over http insecure?

#35 2017-10-11 14:21:46

Re: pacman over http insecure?

#36 2017-10-11 14:35:04

Re: pacman over http insecure?

#37 2017-10-11 22:18:54

Re: pacman over http insecure?

Board footer