TLS for OSDev Website?

[Kazinsal]

Hey, here's a cool thing -- I've worked with numerous PHP applications that sh!t the bed if you convert them from HTTP to HTTPS.

Also, I'm a network engineer. I deal with OSI and TCP/IP stack crap daily and get paid for it. I know what I'm talking about.

[onlyonemac]

It's still not that hard. In fact that's not even required, just recommended (as it prevents users from accidentally sending their existing authentication cookies over HTTP).

[SenorContento]

I actually forgot about this until I just saw that another service I use has the same issue, but to answer your concern Kazinsal, while I don't doubt you have used a lot of PHP applications that would lose it if they had TLS implemented into it, I do know for a fact that one can use nginx to implement a proxy to any web based server. Last year, I had tested this when I created my own personal certificate authority and loaded up a Jekyll server over nginx on localhost. Jekyll has no knowledge about anything that is going on with encryption and gets the same headers as usual. An example I have just loaded for this post is located at https://pastebin.com/hEsV08Sn. The PHP server itself will never know the difference. Proof of this is a sample capture I took when loading https://duckduckgo.com/ on Firefox. The capture is located at https://pastebin.com/Yx2fW64G.

[dozniak]

Adding TLS to old non-TLS software such as phpBB is not as simple as flicking a magic switch even with things like Let's Encrypt.

It's exactly that simple - you tell reverse proxy to accept only https connections and add a server cert (or let letsencrypt install it) and that is exactly all that is needed, phpBB or not.

Are you sure you're a network engineer?

[Schol-R-LEA]

Sorry to dredge up this long-dead thread, but I assume all of you are aware that two of the major browsers have deprecated unencrypted HTTP and are planning on dropping support for it in the next two years? This has been on Google's plate for two years now and Mozilla followed suit soon after. It is a safe bet that where Google goes, WebKit will follow. I don't know what Microsoft's plans for Edge are, nor Apple's for Safari, but I expect that they have similar plans. Chrome has been warning about logins that use cleartext HTTP with a positive-confirmation pop-up since last September.

It is rapidly approaching the already far too long delayed day when unsecured HTTP won't be an option on the public Web.

[matt11235]

Sorry to dredge up this long-dead thread, but I assume all of you are aware that two of the major browsers have deprecated unencrypted HTTP and are planning on dropping support for it in the next two years? This has been on Google's plate for two years now and Mozilla followed suit soon after. It is a safe bet that where Google goes, WebKit will follow. I don't know what Microsoft's plans for Edge are, nor Apple's for Safari, but I expect that they have similar plans. Chrome has been warning about logins that use cleartext HTTP with a positive-confirmation pop-up since last September.

It is rapidly approaching the already far too long delayed day when unsecured HTTP won't be an option on the public Web.

Yeah the browser warnings are scary. Additionally I think that Google are starting to rank insecure websites lower in searches which isn't a good thing.

[dozniak]

letsencrypt.org guys, but with Chase not paying much attention there's no redemption.

I could host this all myself but I guess proper migration will be a mess.

[Schol-R-LEA]

Yes, they have, it was mentioned earlier in the thread. But the plan is that eventually, sometime relatively soon, it won't use unsecured HTTP at all. The protocol itself - the base protocol for the Web throughout its lifetime up until now - is slated for removal on both of those browsers. They haven't announced cut-off dates, but it is expected to be sometime before October 2018 AFAIK.

[bluemoon]

The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.

[matt11235]

The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.

I found the automation in Let's Encrypt to be really good. With nginx I just ran the script and added an entry into my crontab file. I think there's stuff in Let's Encrypt for Apache too so I presume it'd be similar.

[glauxosdever]

Hi,


Speaking of chase, do we know what's going on with him? It's been 18 months since his last login. Is it something to be concerned about (like some bad health status), or just he simply gave up server administration? (I know that Brendan is the forum administrator currently, but what about the server administrator?)

If anyone knows, please shed some light about this.


Regards,
glauxosdever

[Brendan]

Hi,

Speaking of chase, do we know what's going on with him? It's been 18 months since his last login. Is it something to be concerned about (like some bad health status), or just he simply gave up server administration? (I know that Brendan is the forum administrator currently, but what about the server administrator?)

If anyone knows, please shed some light about this.

Chase is just busy doing other things (mostly involving Java as far as I can tell, based on some stalking that led to GIThub commits as recent as March 2017). I wouldn't be too surprised if pops up when nobody is expecting it, makes a pile of changes/updates, then doesn't log in for another 18 months.


Cheers,

Brendan

[glauxosdever]

Hi,


Ok, this is encouraging. I was afraid something bad had happened to him.


Regards,
glauxosdever

[dozniak]

The problem of Let's Encrypt is you gotta renew the cert every 90 days, either manually (too much trouble) or automated(require some works). I would just pay $10 and get a cheap commercial cert for 3 years instead.

And yes, we'll see a big "not safe" warning on chrome soon, which is scary for new people.

There are nice good web servers (read: Caddy) that do ENTIRE renewal process for you, automatically and with no work. I'm using it in prod and it works perfectly.