HTTPS is broken

Report broken links, improper HTML, or formatting issues here.

Moderator: Moderators

tepples
Posts: 22796
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

HTTPS is broken

Post by tepples »

I know someone who is unwilling to participate in the forum and wiki over HTTP but might consider it over HTTPS. As of right now, https://nesdev.com/, https://www.nesdev.com/, https://forums.nesdev.com/ and https://wiki.nesdev.com/ produce the following:
forums.nesdev.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
The certificate is only valid for localhost
The certificate expired on 07/25/2014 01:04 AM. The current time is 02/21/2016 07:39 PM.

(Error code: sec_error_unknown_issuer)
The barrier to implementing HTTPS used to be the cost of a separate IPv4 address per domain, but that ended in April 2014 when the last major SNI-ignorant desktop web browser (Internet Explorer for Windows XP) reached end of life. The barrier after that was the cost of TLS certificates, but since Let's Encrypt opened to the public, a TLS certificate is available without charge to the server administrator. What other barriers to making HTTPS work exist, other than the server administrator's time?
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: HTTPS is broken

Post by koitsu »

General brain dump from someone who's been doing this for a long, long time:

* Let's Encrypt certs expire every 30 days (apparently this has been increased to 90). There are "hacks" (as in shitty shell scripts, and generally borderline ridiculous nonsense) to try and "automate" getting a new cert + putting it in place via this method, which is disappointing when compared to, say, an actual decent CA (ex. NameCheap, Gandi, etc.) which will send you an Email reminding you that your certs need to be renewed before their expiry.

* Let's Encrypt doesn't support wildcard certificates citing some sort of ACME hard-on. Otherwise you're going to need a cert that's for the root domain (this is something CA-based wildcard certs don't actually give you in most cases -- it ends up having to be one of the names in your subjectAltName list, i.e. you have to pay for it), one for www, one for forums, one for wiki, and god knows what else. Someone will need to do a full review of all DNS records that point to said server.

Oh, and don't forget about any redirections for old names, e.g. https://nesdev.parodius.com --> https://nesdev.com will not work (I'm not going to get SSL for something legacy -- sorry). HTTP-to-HTTPS redirection is possible but "generally shunned" because it gives users a false sense of security when visiting legacy URLs.

* HTTPS is substantially slower and in some environments (very specific kinds of caching proxies) cannot be cached. One thing that's absolutely guaranteed is that the connection set-up time is substantially longer given the SSL negotiation overhead. SPDY helps with this, but SPDY isn't available in all webservers, and getting it to work correctly as a module in Apache is sometimes tedious at best. My point is, expect worse performance.

* Configuration of SSL/HTTPS -- meaning PROPER configuration, especially when CA/cert chains are involved! -- can be painful. Use of Qualys' SSL Test is highly useful, but the information given there isn't always immediately clear. How to configure Apache properly is substantially different than nginx, and the configuration methodology/approach even varies per CA (I'm not making this up -- it all depends on what the CA gives you back). I can't stress the importance of using Qualys' SSL Test. People screw up certificate chains all the time.

* Actual forum or software configuration bits. Sometimes changing the scheme (HTTP -> HTTPS) will break badly with software configurations that need to know what the scheme is. Forum software and wiki software come to mind -- I can imagine them botching internal links and so on unless configured correctly. And sometimes there's multiple places this needs to be done.

* HTTP-to-HTTPS redirections within the webserver itself (e.g. mod_rewrite, not HTTP header Location: redirects!) may need to be done for things like images, i.e. there may be old links in people's forum posts or wiki content that refer to the http:// version. You get to deal with "migrating" all of those over to https:// otherwise.

* The admin now needs to begin tracking OpenSSL security holes (usually one or two coming out every few months at this rate) and patches for OpenSSL for their OS and/or Linux distro. In other words: what wasn't a concern before now becomes a serious concern. Let's not discuss the feasibility of switching to WolfSSL or LibreSSL at this time -- let's remain practical/realistic.

In other words: "other than the administrator's time" is putting it very, very lightly. SSL is a total nightmare.

That said, my personal (I'd border on saying professional) opinion is this: the main reason people want HTTPS (for non-banking-related things) is because they're don't want their L/P credentials possibly sniffed and decoded. That's it. So really the only things I'd recommend HTTPS be considered for are the forum and the wiki. There's nothing on the main site that warrants use of HTTPS.

So, at NameCheap, that's either $9/year (if you had separate certs, one per hostname; PositiveSSL), or $30/year (one cert for both hostnames, one as CommonName the other as a subjectAltName; PositiveSSL Multi-Domain). At Let's Encrypt, that's either one or two certs (not sure which), and the admin gets to deal with a bunch of bullshit every 90 days -- and if they fail to deal with it, users get a wonderful warning (often a dialog box) telling them of the expiry until it's dealt with.
tepples
Posts: 22796
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: HTTPS is broken

Post by tepples »

koitsu wrote:Oh, and don't forget about any redirections for old names, e.g. https://nesdev.parodius.com --> https://nesdev.com will not work (I'm not going to get SSL for something legacy -- sorry). HTTP-to-HTTPS redirection is possible but "generally shunned" because it gives users a false sense of security when visiting legacy URLs.
If you put a Strict-Transport-Security header on the HTTPS side, the browser will automatically do the redirection for you for page views after the first.
* HTTPS is substantially slower and in some environments (very specific kinds of caching proxies) cannot be cached.
It can if the user of the caching proxy installs the caching proxy's root certificate. This is common in corporate environments.
One thing that's absolutely guaranteed is that the connection set-up time is substantially longer given the SSL negotiation overhead.
Even if HTTP/2 (formerly SPDY) is unavailable, false start and keep-alive help with this.
* HTTP-to-HTTPS redirections within the webserver itself (e.g. mod_rewrite, not HTTP header Location: redirects!) may need to be done for things like images, i.e. there may be old links in people's forum posts or wiki content that refer to the http:// version. You get to deal with "migrating" all of those over to https:// otherwise.
The Content Security Policy spec includes upgrade-insecure-requests, which instructs the browser to rewrite all HTTP URIs for scripts, images, and the like as HTTPS URIs.
the main reason people want HTTPS (for non-banking-related things) is because they're don't want their L/P credentials possibly sniffed and decoded. That's it. So really the only things I'd recommend HTTPS be considered for are the forum and the wiki.
In other words, where I spend 99.9% of my time on the site.
tepples
Posts: 22796
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: HTTPS is broken

Post by tepples »

An update, based on several months of successful operation of Let's Encrypt and some recent events:
koitsu wrote:* Let's Encrypt doesn't support wildcard certificates citing some sort of ACME hard-on. Otherwise you're going to need a cert that's for the root domain (this is something CA-based wildcard certs don't actually give you in most cases -- it ends up having to be one of the names in your subjectAltName list, i.e. you have to pay for it), one for www, one for forums, one for wiki, and god knows what else. Someone will need to do a full review of all DNS records that point to said server.
The SANs I can think of at the moment are 8bitalley.com, nesdev.com, www.nesdev.com, nesdev.parodius.com, forums.nesdev.com, wiki.nesdev.com, and the other hosted sites.
* HTTPS is substantially slower and in some environments (very specific kinds of caching proxies) cannot be cached.
An intermediate caching proxy is also an intermediate rewriting-to-include-ransomware-links proxy.
I can't stress the importance of using Qualys' SSL Test. People screw up certificate chains all the time.
Thanks for the recommendation.
At Let's Encrypt, that's either one or two certs (not sure which), and the admin gets to deal with a bunch of bullshit every 90 days
The idea is that cron will deal with the bullshit every 60.
WhoaMan
Posts: 167
Joined: Sat Oct 02, 2004 12:07 pm

Re: HTTPS is broken

Post by WhoaMan »

Just so you all know,I'm working on coming up with funding to get a newer server, when and if I can come up with the money I will get proper HTTPS setup and a more traditional hosting system for hosted sites
i dont have much to say
User avatar
B00daW
Posts: 586
Joined: Thu Jan 03, 2008 1:48 pm

Re: HTTPS is broken

Post by B00daW »

WhoaMan, just start a donation post for PM donations in General. :)
User avatar
Myask
Posts: 965
Joined: Sat Jul 12, 2014 3:04 pm

Re: HTTPS is broken

Post by Myask »

B00daW wrote:WhoaMan, just start a donation post for PM donations in General. :)
This.
zzo38
Posts: 1096
Joined: Mon Feb 07, 2011 12:46 pm

Re: HTTPS is broken

Post by zzo38 »

It should be made available both HTTP and HTTPS, if it can be done. HSTS is bad and don't use it, and don't implement it in the client-side either (I have hacked out HSTS from Firefox).
(Free Hero Mesh - FOSS puzzle game engine)
WhoaMan
Posts: 167
Joined: Sat Oct 02, 2004 12:07 pm

Re: HTTPS is broken

Post by WhoaMan »

HTTPS works now :)
i dont have much to say
nocash
Posts: 1423
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: HTTPS is broken

Post by nocash »

Works, but HTTP doesn't work any longer (it's automatically redirecting to HTTPS). Encryption is nice, but it's also slower, at least on old computers.
Which, well, I guess nobody but me is having any problems with it. And even with the encryption, nesdev does still feel faster than sites like wikipedia or facebook.
Anyways, an option to disable HTTP-to-HTTPS redirection would be nice for retro people with old hardware. This is an 8bit forum after all : )

EDIT: Now it's working again, and it's really loading faster that way. Thanks for fixing!
JRoatch
Formerly 43110
Posts: 423
Joined: Wed Feb 05, 2014 7:01 am
Contact:

Re: HTTPS is broken

Post by JRoatch »

OK, is there a way to enable HTTP-to-HTTPS redirection? Because without that, anything can just downgrade the connection. The links within this site, and malicious downgrade attacks outside this site.[citation needed]
Last edited by JRoatch on Thu Sep 15, 2016 5:23 pm, edited 2 times in total.
lidnariq
Site Admin
Posts: 11584
Joined: Sun Apr 13, 2008 11:12 am

Re: HTTPS is broken

Post by lidnariq »

Why not just bookmark the HTTPS version instead?
JRoatch
Formerly 43110
Posts: 423
Joined: Wed Feb 05, 2014 7:01 am
Contact:

Re: HTTPS is broken

Post by JRoatch »

lidnariq wrote:Why not just bookmark the HTTPS version instead?
Doesn't work. As I just edited, practically every link will just revert the connection back to HTTP.
lidnariq
Site Admin
Posts: 11584
Joined: Sun Apr 13, 2008 11:12 am

Re: HTTPS is broken

Post by lidnariq »

I wonder what's breaking for you?

It's working for me: this reply was made from the https URL, clicked on the "reply" button and stayed on the https version, and followed links that stayed on the https version. Both forum and wiki.

Could be the proxy, maybe?



That said, the very front page is using http (rather than protocol-relative) links for its stylesteet and favicon
tepples
Posts: 22796
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: HTTPS is broken

Post by tepples »

I've added a private custom profile field "Redirect to HTTPS" of type Boolean. How easy would it be to wire up automatic redirection if and only if this is checked?
Post Reply