This bbs now uses https exclusively

Anikom15 · 2010-07-22 17:32:32

That doesn't help my CPUs either.

.:B:. · 2010-07-22 18:27:31

True that. My average CPU usage has skyrocketed since the BBS switched to HTTPS.

The outrage!

Anikom15 · 2010-07-22 19:37:45

Wait, does it affect the server or client? Or both? Can someone explain this in huge detail?

655321 · 2010-07-23 00:01:07

I read you said that firefox comes with this CAcert by default, why then it shows the site as untrusted? using version 3.6.7 and I also check this at work where I have some XP machines.

fukawi2 · 2010-07-23 01:31:55

655321 wrote:

I read you said that firefox comes with this CAcert by default, why then it shows the site as untrusted? using version 3.6.7 and I also check this at work where I have some XP machines.

http://wiki.cacert.org/InclusionStatus

655321 · 2010-07-23 05:29:56

Thanks for the link. Now I got it

I also noticed there is another linux distro called ARK LINUX lol, I tought that was a typo.

PirateJonno · 2010-07-23 09:06:35

yejun wrote:

All intel's new cpu of this year have hardware aes, so hardware problem should go away soon.

I though SSL was a public-key cryptosystem...

Also, the certificate isn't accepted by my n900, in case anyone is remotely interested

ss2 · 2010-07-23 09:21:07

yejun wrote:

ss2 wrote:
SSL can create a massive overhead (Traffic and melting CPUs) once many connections need to be maintained simultaneously. And this seems to be one of the reasons why SSL does not get much attention.
All intel's new cpu of this year have hardware aes, so hardware problem should go away soon.

True, I didn't think about that. But as it is still (when was it introduced?) a new feature, it will take time until most servers will adopt it..

And yes, the issues about some users posting about a higher load on your cpu: SSL was never intended to be fast, but secure. Think about that.

fukawi2 · 2010-07-23 10:29:31

ss2 wrote:

yejun wrote:
ss2 wrote:
SSL can create a massive overhead (Traffic and melting CPUs) once many connections need to be maintained simultaneously. And this seems to be one of the reasons why SSL does not get much attention.
All intel's new cpu of this year have hardware aes, so hardware problem should go away soon.
True, I didn't think about that. But as it is still (when was it introduced?) a new feature, it will take time until most servers will adopt it..
And yes, the issues about some users posting about a higher load on your cpu: SSL was never intended to be fast, but secure. Think about that.

No argument, but security is a balance between AAA and Usability.. No point have uber-security if the system isn't usable.

Pierre · 2010-07-23 10:32:23

I doubt that anybody will notice higher cpu load due to https usage. I didn't even notice a difference on the server. Of course ssl has more overhead in cpu load and traffic but it's fairly low. See also http://www.imperialviolet.org/2010/06/2 … g-ssl.html

gtklocker · 2010-07-23 11:12:54

I also noticed some increasing CPU usage... please go back to http!

yejun · 2010-07-23 12:45:52

PirateJonno wrote:

I though SSL was a public-key cryptosystem...

Public key is only used to establish session. Once session created that it will use symmetric cypher. The only delay is usually the beginning of session because of extra tcp packets exchanging and RSA.
AES256 speed is at 270MB/s speed on core2 and 3.5GB/s on i5 cpu. I don't see how ssl on a normal website will cause cpu usage any higher than 1%.

mrunion · 2010-07-23 13:18:45

<disclaimer>
This is not my forum, my server nor my decision. Feel free to stop reading at this tag if you want.
</disclaimer>

<opinion>
Using SSL for the forums -- where information is publicly available and readable -- is like delivering ketchup packets to fast food restaurants in armored cars! Once they're at the restaurant, anyone can have them by simply asking -- no ID required, no credentials, no receipts, no validation. But they're darn safe as heck during transit! (And I still don't get it. I think it's overkill. But see disclaimer above!)
</opinion>

Last edited by mrunion (2010-07-23 13:19:08)

yejun · 2010-07-23 14:00:39

But your food doesn't taste any different either. So end user shouldn't care.
Whole website ssl just ease administrative work. Otherwise developer need hand select which page need to be secure which need not to be, and decide which cookie need to have secure flag. With SSL, you can pretty much transmit all information in clear text without worrying about those details.

Inxsible · 2010-07-23 14:09:55

never mind....:

EDIT: mentioned package signing and then I read .:B:. warning about not turning this into a package signing thread

Last edited by Inxsible (2010-07-23 14:11:58)

mrunion · 2010-07-23 18:28:36

Well, yejun, I understand that point. But I still don't think SSL is needed on a forum. I'm not storing my credit card info on here or anything. If my account gets hack, I'll report it.

Again, see the disclaimer in my last post.

(And as for "easier" on the web dev, I've not noticed SSL making things "easier" for me on the web applications I have to do. We secure the appropriate parts of course. For another example of why SSL on this forum is kinda not nice, look at the exception warnings in the screenshot threads because the thumbnails aren't loaded over SSL. The browser starts warning that some items aren't encrypted, but that's never been a problem before. Now how many users will ignore it, set an exception or actually wonder if something went wrong?)

Last edited by mrunion (2010-07-23 18:30:10)

PirateJonno · 2010-07-24 02:34:29

yejun wrote:

PirateJonno wrote:
I though SSL was a public-key cryptosystem...
Public key is only used to establish session. Once session created that it will use symmetric cypher. The only delay is usually the beginning of session because of extra tcp packets exchanging and RSA.
AES256 speed is at 270MB/s speed on core2 and 3.5GB/s on i5 cpu. I don't see how ssl on a normal website will cause cpu usage any higher than 1%.

Thanks for the clarification

anonymous_user · 2010-07-28 17:22:37

Pierre wrote:

So for those who use third-party systems: install the class 1 and class 3 certs from http://www.cacert.org/index.php?id=3 (e.g. just click on both in pem-format)

This should be added to the first post.

R00KIE · 2010-07-28 22:15:20

mrunion wrote:

<disclaimer>
<opinion>
Using SSL for the forums -- where information is publicly available and readable -- is like delivering ketchup packets to fast food restaurants in armored cars! Once they're at the restaurant, anyone can have them by simply asking -- no ID required, no credentials, no receipts, no validation. But they're darn safe as heck during transit! (And I still don't get it. I think it's overkill. But see disclaimer above!)
</opinion>

Doesn't your food taste much better knowing that the small ketchup packets have not been swapped by a mix of laxatives and sleeping pills or some poison was added on the way from the factory to the restaurant?

ss2 · 2010-07-29 00:12:02

R00KIE wrote:

mrunion wrote:
<disclaimer>
<opinion>
Using SSL for the forums -- where information is publicly available and readable -- is like delivering ketchup packets to fast food restaurants in armored cars! Once they're at the restaurant, anyone can have them by simply asking -- no ID required, no credentials, no receipts, no validation. But they're darn safe as heck during transit! (And I still don't get it. I think it's overkill. But see disclaimer above!)
</opinion>
Doesn't your food taste much better knowing that the small ketchup packets have not been swapped by a mix of laxatives and sleeping pills or some poison was added on the way from the factory to the restaurant?

We should ask if fast food restaurants of this world want to use packet signing for ketchup.

R00KIE · 2010-07-29 09:46:47

ss2 wrote:

R00KIE wrote:
mrunion wrote:
<disclaimer>
<opinion>
Using SSL for the forums -- where information is publicly available and readable -- is like delivering ketchup packets to fast food restaurants in armored cars! Once they're at the restaurant, anyone can have them by simply asking -- no ID required, no credentials, no receipts, no validation. But they're darn safe as heck during transit! (And I still don't get it. I think it's overkill. But see disclaimer above!)
</opinion>
Doesn't your food taste much better knowing that the small ketchup packets have not been swapped by a mix of laxatives and sleeping pills or some poison was added on the way from the factory to the restaurant?
We should ask if fast food restaurants of this world want to use packet signing for ketchup.

They already do actually, the process is controlled very tightly at the factory and at any sign of tampering upon delivery people get extra careful.

Have you ever heard of cases where something is suspected to have been poisoned during production or before reaching the consumer's hands? I sure have and not only it is a huge pain in the ass for everyone in the production and delivery chain to handle the massive recall, it scares every single consumer that may have bought an item from the affected lot, not to mention the bad image the producer of the product will get, even if later it is proved that it was a single consumer that tried to kill itself and the product was completely safe.

Like it was said before the trend is to have someone snoop on _everything_ you do on the internet (I believe one country even considered making it mandatory to install a program to snoop on all your online activities), specially if the "wonderful" and secret ACTA treaty gets ratified and pushed down our throats. So yes, bring on https (package signing does not belong to this discussion), my posts are worth very little but they are my posts and it is my account and if it is possible to make it more secure I don't see a reason why not.

MkFly · 2010-08-02 18:00:59

R00KIE wrote:

Have you ever heard of cases where something is suspected to have been poisoned during production or before reaching the consumer's hands?

Excellent example of this: the Chicago Tylenol murders.

There's a bit of drama in this thread. I for one am quite happy about this. For any site that I visit, if I can load it over SSL, I do. And if it makes dcc24 feel any better, I think package signing is important as well.

yejun wrote:

ss2 wrote:
SSL can create a massive overhead (Traffic and melting CPUs) once many connections need to be maintained simultaneously. And this seems to be one of the reasons why SSL does not get much attention.
All intel's new cpu of this year have hardware aes, so hardware problem should go away soon.

The Arch servers seem to be configured to serve SSL with the Camellia cipher by default, so hardware AES isn't going to help there. Although in Firefox, if you disable Camellia in about:config, the Arch servers will fall-back on using AES-256 next.

Last edited by MkFly (2010-08-18 20:20:27)

Kilzool · 2010-08-04 15:20:03

Just use a self-signed CA on the bbs.. and let folks know that, if it is a big trouble. Wildcard SSLs are steep in price.

z0phi3l · 2010-08-07 21:08:35

PirateJonno wrote:

yejun wrote:
All intel's new cpu of this year have hardware aes, so hardware problem should go away soon.
I though SSL was a public-key cryptosystem...
Also, the certificate isn't accepted by my n900, in case anyone is remotely interested

Funny thing, it accepted in on my loaner Samsung Memoir

akephalos · 2010-08-10 03:26:08

I salute the change - in case the public opinion matters more than a thoughtful decision, view to which I don't adhere anyway.

I suppose that it would be good for people who insist to use unsecured connection to optionally be able to get over the encryption, if this is possible and not hard to implement. Still, IMO the default needs to be secured, information should not be reachable by 3rd parties without the explicit consent of the people.

Arch Linux

#101 2010-07-22 17:32:32

Re: This bbs now uses https exclusively

#102 2010-07-22 18:27:31

Re: This bbs now uses https exclusively

#103 2010-07-22 19:37:45

Re: This bbs now uses https exclusively

#104 2010-07-23 00:01:07

Re: This bbs now uses https exclusively

#105 2010-07-23 01:31:55

Re: This bbs now uses https exclusively

#106 2010-07-23 05:29:56

Re: This bbs now uses https exclusively

#107 2010-07-23 09:06:35

Re: This bbs now uses https exclusively

#108 2010-07-23 09:21:07

Re: This bbs now uses https exclusively

#109 2010-07-23 10:29:31

Re: This bbs now uses https exclusively

#110 2010-07-23 10:32:23

Re: This bbs now uses https exclusively

#111 2010-07-23 11:12:54

Re: This bbs now uses https exclusively

#112 2010-07-23 12:45:52

Re: This bbs now uses https exclusively

#113 2010-07-23 13:18:45

Re: This bbs now uses https exclusively

#114 2010-07-23 14:00:39

Re: This bbs now uses https exclusively

#115 2010-07-23 14:09:55

Re: This bbs now uses https exclusively

#116 2010-07-23 18:28:36

Re: This bbs now uses https exclusively

#117 2010-07-24 02:34:29

Re: This bbs now uses https exclusively

#118 2010-07-28 17:22:37

Re: This bbs now uses https exclusively

#119 2010-07-28 22:15:20

Re: This bbs now uses https exclusively

#120 2010-07-29 00:12:02

Re: This bbs now uses https exclusively

#121 2010-07-29 09:46:47

Re: This bbs now uses https exclusively

#122 2010-08-02 18:00:59

Re: This bbs now uses https exclusively

#123 2010-08-04 15:20:03

Re: This bbs now uses https exclusively

#124 2010-08-07 21:08:35

Re: This bbs now uses https exclusively

#125 2010-08-10 03:26:08

Re: This bbs now uses https exclusively

Board footer