Why isn't the wiki/forum using HTTPS ?

Questions, comments, and suggestions about this site should go here.
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: Why isn't the wiki/forum using HTTPS ?

Post by dozniak »

MichaelFarthing wrote:We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?
For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.
Learn to read.
User avatar
MichaelFarthing
Member
Member
Posts: 167
Joined: Thu Mar 10, 2016 7:35 am
Location: Lancaster, England, Disunited Kingdom

Re: Why isn't the wiki/forum using HTTPS ?

Post by MichaelFarthing »

dozniak wrote:
MichaelFarthing wrote:We hardly communicate much sensitive stuff. What next? Show your passport before you can take part in a pub chat?
For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.
Both of these things frighten me as much as losing a coin in the street or accidentally finding myself in a butcher's shop instead of a greengrocer's - though both of the internet problems are far less likely to actually happen.
User avatar
dozniak
Member
Member
Posts: 723
Joined: Thu Jul 12, 2012 7:29 am
Location: Tallinn, Estonia

Re: Why isn't the wiki/forum using HTTPS ?

Post by dozniak »

MichaelFarthing wrote:Both of these things frighten me as much as losing a coin in the street
You maybe, but there are other people on the internets as well.
Learn to read.
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: Why isn't the wiki/forum using HTTPS ?

Post by Schol-R-LEA »

MichaelFarthing wrote:Why on Earth does it matter except that some large corporations are trying to bully everyone?
Because those large organizations can make the sites that don't use HTTPS inaccessible using most browsers. How many browsers do you know of that don't use one of the major engines? How many of those would you find usable with the majority of (usually lousy and bug-ridden, but that's another story) websites you have reason to go to?

Seriously, while they've pushed off the plans to make their browsers "all HTTPS all the time", all the major players are on board with the idea. As I understand it, there is serious thought by the IETF of deprecating unsecured HTTP entirely. The days when you could get write a simple HTTP server and serve your own site are long over, for better or for worse.

Mind you, I am surprised it's taken this long, because honestly, the fact that it wasn't secured from the outset has been the source of endless problems. Sir Tim had no idea his baby would go as far as it did - he just thought it was a neat way to share pre-publication papers with people who weren't physically at CERN. Yea do many things come to pass fnord.

And at this point, the topic is moot; the forum has in fact switched over, as said already.
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
User avatar
MichaelFarthing
Member
Member
Posts: 167
Joined: Thu Mar 10, 2016 7:35 am
Location: Lancaster, England, Disunited Kingdom

Re: Why isn't the wiki/forum using HTTPS ?

Post by MichaelFarthing »

What this says is that it matters because some large bully corporations say it does. It is true that sensitive websites need it. This is not one such.

It is necessary that the House of Commons, airports, prisons and Courts need security checks. Pubs don't.
User avatar
iansjack
Member
Member
Posts: 4703
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Why isn't the wiki/forum using HTTPS ?

Post by iansjack »

You wouldn't want people posting stuff you couldn't trust on an internet forum, would you. :wink:
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by Solar »

MichaelFarthing wrote:
dozniak wrote:For example, you might not want to have your login password stolen when you open forum.osdev.org from a cafeteria? You also might want to know you are connecting to the ACTUAL forum.osdev.org not some other website pretending to be one.
Both of these things frighten me as much as losing a coin in the street or accidentally finding myself in a butcher's shop instead of a greengrocer's - though both of the internet problems are far less likely to actually happen.
That utter failure to actually think about, "what is the worst that can happen".

Just two variations on the identity theft part:

1) Someone posting insults and threats in your name. Believe it or not, those are actionable offenses in the real world, and all the evidence points to you as the offender. At the very least, your reputation will take a sharp dip.

2) Someone hijacking a moderator account and using it to corrupt or outright destroy content.

Perhaps "frighten" is not the right word, but it's certainly enough to be a bloody nuisance. How often, do you think, would chase be willing to restore vandalized content from backups or fight off lawsuits for stuff that's been injected here by malicious attackers before he says, "forget it, I am closing down the site"?
Every good solution is obvious once you've found it.
User avatar
MichaelFarthing
Member
Member
Posts: 167
Joined: Thu Mar 10, 2016 7:35 am
Location: Lancaster, England, Disunited Kingdom

Re: Why isn't the wiki/forum using HTTPS ?

Post by MichaelFarthing »

Well it's managed upwards of 10 years I think?
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: Why isn't the wiki/forum using HTTPS ?

Post by Schol-R-LEA »

MichaelFarthing wrote:What this says is that it matters because some large bully corporations say it does. It is true that sensitive websites need it. This is not one such.

It is necessary that the House of Commons, airports, prisons and Courts need security checks. Pubs don't.
Conversations in pubs don't linger decades after you are dead (OK, so that's shifting the topic a bit, as HTTP/HTTPS connections are potentially just as ephemeral as personal conversations, but whatever.) And I'll bet that if you thought your brother-in-law was in earshot, you'd be more guarded in your words than if it was just you and some friends whom you trusted, even if you didn't have any secrets to hide from your wife.

More importantly, just because you are being pressured to do something that is itself a good idea doesn't mean it isn't a good idea.

An oft-repeated (and equally often misconstrued) truism of the RISKS list goes, if you are only encrypting what you want to hide, all it does is wave a flag saying, "here's the secret stuff!". Even if privacy isn't a concern right now, it is a concern at other times, and going from not hiding things to hiding them is by itself crucial signals intel should anyone have a reason to listen in (they rarely do, at least on individuals; most of the really important data is in tracking demographic trends, not the activities of specific indiduals - that is, they don't care what Joe Blow had for dinner last night, but they do care that 10,000 in his hometown had Burger King compared to 12,000 who had MacDonalds).

(Though to be fair, it has been years I've read RISKS on a regular basis. I also want to point to the tangentially related topic of spread-spectrum transmission and frequency hopping, but that's going too far afield so I'll just give those links for others to follow up on; suffice it to say, it's important enough that even your Bluetooth headphones both encrypt your data and frequency hop, regardless of whether the data itself is important or not.)

As I said, this is something which would have been an intrinsic part of the Web from the outset, had anyone thought about it. It is appalling that cleartext HTTP transmissions were ever a thing in the first place - though admittedly, it is unlikely that it would have exploded the way it did if the bar for implementing a webserver had been higher early on, it would have put a much higher computation cost on things which would have been onerous for the hardware of the time, and there would have been political pushback on it (given the way governments were about encryption at the time - much worse than they are today, and that's saying a lot), so it's not a clear-cut matter in some ways.
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by Solar »

MichaelFarthing wrote:Well it's managed upwards of 10 years I think?
You really want to field "it worked so far" as a genuine argument in a discussion? :shock:
Every good solution is obvious once you've found it.
nullplan
Member
Member
Posts: 1794
Joined: Wed Aug 30, 2017 8:24 am

Re: Why isn't the wiki/forum using HTTPS ?

Post by nullplan »

Schol-R-LEA wrote:Seriously, while they've pushed off the plans to make their browsers "all HTTPS all the time", all the major players are on board with the idea. As I understand it, there is serious thought by the IETF of deprecating unsecured HTTP entirely. The days when you could get write a simple HTTP server and serve your own site are long over, for better or for worse.
Yeah, and it appears that these people have absolutely no clue what they are doing with that. The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.
Carpe diem!
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by Solar »

nullplan wrote:The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.
Curious. I usually get a message along the lines of "this WiFi network requires authentication" automatically as the WiFi connection is established -- i.e. before I even open a browser. At which point I am taken to a webpage where I can accept or decline the terms of service, and acknowledge the login.

In fact the only times I've seen HTTP intercept the way you described was with, let's say, "homegrown" installations.

So I guess the way "this is generally accomplished" is a bit more sophisticated than intercepting your first HTTP request. :wink:
Every good solution is obvious once you've found it.
Korona
Member
Member
Posts: 1000
Joined: Thu May 17, 2007 1:27 pm
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by Korona »

Solar wrote:So I guess the way "this is generally accomplished" is a bit more sophisticated than intercepting your first HTTP request. :wink:
I don't think that's the case. In my experience, it works the way that nullplan explained. However, modern OS know that it works that way and do a HTTP request to trigger the portal. For example, Android checks http://connectivitycheck.gstatic.com/generate_204 (and shows the "this WiFi networks requires a login" message if the request does not return the expected 204).
managarm: Microkernel-based OS capable of running a Wayland desktop (Discord: https://discord.gg/7WB6Ur3). My OS-dev projects: [mlibc: Portable C library for managarm, qword, Linux, Sigma, ...] [LAI: AML interpreter] [xbstrap: Build system for OS distributions].
User avatar
chase
Site Admin
Posts: 710
Joined: Wed Oct 20, 2004 10:46 pm
Libera.chat IRC: chase_osdev
Location: Texas
Discord: chase/matt.heimer
Contact:

Re: Why isn't the wiki/forum using HTTPS ?

Post by chase »

nullplan wrote:The other day I was using a public Wifi network. As per usual, this requires clicking "accept" on the terms and conditions before you can do anything. This is generally accomplished by having the access point unencrypted but then blocking all traffic except on port 80, and redirecting all port 80 traffic to the login site. So in theory you should be able to click the accept button by opening a browser and surfing to any HTTP site. And bugger my bumblebee's breadbin, is it hard to find those these days. Every site I could think of automatically goes to HTTPS.
I use http://neverssl.com/ for that.

Edit: Little bit more about what Korona mentioned, what they do is try to load a known http:// URL when connecting to a wifi network and if they get back a response other than expected then the network probably requires a login. Here is a list of the URLs that various OSes/Devices use - https://enterprisenetworkingatlarge.wor ... p-vendors/
Post Reply