HTTPS #89

Closed
mstevens opened this Issue Mar 25, 2011 · 18 comments

Comments

Projects
None yet
7 participants
@mstevens
Contributor

mstevens commented Mar 25, 2011

HTTPS is lovely and secure and lovely.

We can haz it on rstat.us?

@wilkie

This comment has been minimized.

Show comment
Hide comment
@wilkie

wilkie Mar 26, 2011

Contributor

In our certificate authority overlords we trust? :)

I wonder what authority status.net uses. People may need to acquire a certificate upon pushing a new node to the system, how does that affect the cost (monetary and time or effort) to do so? This is a good question!

Contributor

wilkie commented Mar 26, 2011

In our certificate authority overlords we trust? :)

I wonder what authority status.net uses. People may need to acquire a certificate upon pushing a new node to the system, how does that affect the cost (monetary and time or effort) to do so? This is a good question!

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Mar 26, 2011

Contributor

Not that we have to stay heroku forever, but they also have a good illustration of this: http://addons.heroku.com/ssl

Those are basically our options, heroku or no. SNI throws an error in old browsers, but is nice otherwise.

Contributor

steveklabnik commented Mar 26, 2011

Not that we have to stay heroku forever, but they also have a good illustration of this: http://addons.heroku.com/ssl

Those are basically our options, heroku or no. SNI throws an error in old browsers, but is nice otherwise.

@mstevens

This comment has been minimized.

Show comment
Hide comment
@mstevens

mstevens Mar 26, 2011

Contributor

There's always self-signed hotness.

On Fri, Mar 25, 2011 at 05:22:38PM -0700, wilkie wrote:

In our certificate authority overlords we trust? :)

I wonder what authority status.net uses. People may need to acquire a certificate upon pushing a new node to the system, how does that affect the cost (monetary and time or effort) to do so? This is a good question!

Reply to this email directly or view it on GitHub:
#89 (comment)

Contributor

mstevens commented Mar 26, 2011

There's always self-signed hotness.

On Fri, Mar 25, 2011 at 05:22:38PM -0700, wilkie wrote:

In our certificate authority overlords we trust? :)

I wonder what authority status.net uses. People may need to acquire a certificate upon pushing a new node to the system, how does that affect the cost (monetary and time or effort) to do so? This is a good question!

Reply to this email directly or view it on GitHub:
#89 (comment)

@burningTyger

This comment has been minimized.

Show comment
Hide comment
@burningTyger

burningTyger Mar 27, 2011

Contributor

self signed? Scare people away? Not a good solution.

Contributor

burningTyger commented Mar 27, 2011

self signed? Scare people away? Not a good solution.

@wilkie

This comment has been minimized.

Show comment
Hide comment
@wilkie

wilkie Mar 27, 2011

Contributor

@burningTyger you are assuming centralization and trust in verisign doesn't scare people away? ;) Let's overview:

Self-signing "weakens" the level of trust, but given that you can trust the key, the same amount of confidentiality. Verisign, what you pay for, is trust. It does verification, and people say it is ok, because it is Verisign and we trust them. Self-signed certs are root certificates and will not be verified. That means people have to verify them by instinct, by pressing 'ignore', or manually though other means. All-in-all, personally, I'm not sure I buy into the "web of trust" idea of hierarchical certificate authorities. It's all a matter of poor public education, anyway. :)

Self-signed is better than none at all, which is obvious. (The exception is in terms of psychological acceptability, where one thinks they are secure but are not because the key was exposed, and do things they would not have done normally) This problem still exists in the hierarchical scheme, but less so because somebody has the authority to revoke your cert, whereas a self-signed cert can't be revoked by anybody else. Which might be seen as a good thing, especially with respect to limiting the role a government can have in censoring or viewing communication through a backdoor because they have somebody at a certificate authority giving them private keys.

So I'd say there are two schools of thought, and picking the right one should be considered carefully.

Contributor

wilkie commented Mar 27, 2011

@burningTyger you are assuming centralization and trust in verisign doesn't scare people away? ;) Let's overview:

Self-signing "weakens" the level of trust, but given that you can trust the key, the same amount of confidentiality. Verisign, what you pay for, is trust. It does verification, and people say it is ok, because it is Verisign and we trust them. Self-signed certs are root certificates and will not be verified. That means people have to verify them by instinct, by pressing 'ignore', or manually though other means. All-in-all, personally, I'm not sure I buy into the "web of trust" idea of hierarchical certificate authorities. It's all a matter of poor public education, anyway. :)

Self-signed is better than none at all, which is obvious. (The exception is in terms of psychological acceptability, where one thinks they are secure but are not because the key was exposed, and do things they would not have done normally) This problem still exists in the hierarchical scheme, but less so because somebody has the authority to revoke your cert, whereas a self-signed cert can't be revoked by anybody else. Which might be seen as a good thing, especially with respect to limiting the role a government can have in censoring or viewing communication through a backdoor because they have somebody at a certificate authority giving them private keys.

So I'd say there are two schools of thought, and picking the right one should be considered carefully.

@burningTyger

This comment has been minimized.

Show comment
Hide comment
@burningTyger

burningTyger Mar 27, 2011

Contributor

sorry for the misunderstanding. I thought about people looking at a scary browser message that tells them to either go away or ignore all warnings and accept this evil self signed certificate. I've just been through this whole self signed business with only 30 people. I had to force them to accept the cert :) So maybe default to http and make it voluntary to go https. Otherwise I agree with you. It's definitly the browser that take part in all that.

Contributor

burningTyger commented Mar 27, 2011

sorry for the misunderstanding. I thought about people looking at a scary browser message that tells them to either go away or ignore all warnings and accept this evil self signed certificate. I've just been through this whole self signed business with only 30 people. I had to force them to accept the cert :) So maybe default to http and make it voluntary to go https. Otherwise I agree with you. It's definitly the browser that take part in all that.

@wilkie

This comment has been minimized.

Show comment
Hide comment
@wilkie

wilkie Mar 27, 2011

Contributor

@burningTyger nope, never thought you misunderstood. Just putting that there for everyone else. I want us to find a good solution to this, want careful consideration, and wanted to put up a quick (although not complete) explanation to aid this. :)

Contributor

wilkie commented Mar 27, 2011

@burningTyger nope, never thought you misunderstood. Just putting that there for everyone else. I want us to find a good solution to this, want careful consideration, and wanted to put up a quick (although not complete) explanation to aid this. :)

@binarycleric

This comment has been minimized.

Show comment
Hide comment
@binarycleric

binarycleric Mar 29, 2011

I'd say offer HTTPS as an option (disabled by default, maybe) and use the cheaper SNI certs for now. Also put a giant warning explaining that if you are using an outdated OS then you're going to get a nasty warning error. Expand to a more widely accepted SSL cert once rstat.us becomes more popular.

Self-signing is NOT an option because of how the browsers treat it. The red screen of death that Chrome throws really scares the crap out of people who don't know any better.

I'd say offer HTTPS as an option (disabled by default, maybe) and use the cheaper SNI certs for now. Also put a giant warning explaining that if you are using an outdated OS then you're going to get a nasty warning error. Expand to a more widely accepted SSL cert once rstat.us becomes more popular.

Self-signing is NOT an option because of how the browsers treat it. The red screen of death that Chrome throws really scares the crap out of people who don't know any better.

@wmeddie

This comment has been minimized.

Show comment
Hide comment
@wmeddie

wmeddie Mar 31, 2011

Although it's root certificate is not installed by default in any browser yet, let me offer a possible alternative cert authority http://www.cacert.org/ .

It's fairly secure (probably more so than other cheap certificate authorities), and free. It's community structure/governance might be a perfect fit for a distributed service like rstat.us.

wmeddie commented Mar 31, 2011

Although it's root certificate is not installed by default in any browser yet, let me offer a possible alternative cert authority http://www.cacert.org/ .

It's fairly secure (probably more so than other cheap certificate authorities), and free. It's community structure/governance might be a perfect fit for a distributed service like rstat.us.

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Sep 14, 2011

Contributor

Now that we own the server, this is feasible for a reasonable price. I'll investigate doing it soon.

Contributor

steveklabnik commented Sep 14, 2011

Now that we own the server, this is feasible for a reasonable price. I'll investigate doing it soon.

@carols10cents

This comment has been minimized.

Show comment
Hide comment
@carols10cents

carols10cents Jul 9, 2012

Contributor

Actually now that we're back on heroku and they've made ssl endpoint $20/mo rather than $100/mo, and that basically any api auth should be going over https, i'm going to start working on this.

Contributor

carols10cents commented Jul 9, 2012

Actually now that we're back on heroku and they've made ssl endpoint $20/mo rather than $100/mo, and that basically any api auth should be going over https, i'm going to start working on this.

@carols10cents

This comment has been minimized.

Show comment
Hide comment
@carols10cents

carols10cents Jul 21, 2012

Contributor

Ok, I finally have https working, and you can choose to use HTTPS for all your rstat.us browsing.

I was starting to force https selectively for login pages and forms, etc, and it sure seems a lot easier to just force https for everything.

As far as potential issues with that, this article mentions performance (but says it's not really that big of a hit), CDNs (n/a for us), and caching (i don't think this is too much of an issue for us, but I don't really know what I'm talking about).

Does anyone think the above reasons, or any other reasons, are big enough issues that we shouldn't force https for everything/everyone?

Contributor

carols10cents commented Jul 21, 2012

Ok, I finally have https working, and you can choose to use HTTPS for all your rstat.us browsing.

I was starting to force https selectively for login pages and forms, etc, and it sure seems a lot easier to just force https for everything.

As far as potential issues with that, this article mentions performance (but says it's not really that big of a hit), CDNs (n/a for us), and caching (i don't think this is too much of an issue for us, but I don't really know what I'm talking about).

Does anyone think the above reasons, or any other reasons, are big enough issues that we shouldn't force https for everything/everyone?

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Jul 21, 2012

Contributor

It makes me sad, but it's probably a good idea. But then again, it's also good, too. This is one of those "I hold both opinions simultaneously" kinds of things.

Some of the caching stuff can be mitigated by setting the correct headers, etc.

Contributor

steveklabnik commented Jul 21, 2012

It makes me sad, but it's probably a good idea. But then again, it's also good, too. This is one of those "I hold both opinions simultaneously" kinds of things.

Some of the caching stuff can be mitigated by setting the correct headers, etc.

@carols10cents

This comment has been minimized.

Show comment
Hide comment
@carols10cents

carols10cents Jul 21, 2012

Contributor

Why does it make you sad?

Contributor

carols10cents commented Jul 21, 2012

Why does it make you sad?

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Jul 21, 2012

Contributor

One of the neat features of the web architecture is shared caches. Full on TLS everywhere makes this really hard.

Contributor

steveklabnik commented Jul 21, 2012

One of the neat features of the web architecture is shared caches. Full on TLS everywhere makes this really hard.

@carols10cents

This comment has been minimized.

Show comment
Hide comment
@carols10cents

carols10cents Jul 22, 2012

Contributor

ok... well... imma do it.

Contributor

carols10cents commented Jul 22, 2012

ok... well... imma do it.

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Jul 22, 2012

Contributor

Doit.

Contributor

steveklabnik commented Jul 22, 2012

Doit.

@carols10cents

This comment has been minimized.

Show comment
Hide comment
@carols10cents

carols10cents Jul 23, 2012

Contributor

IT IS DONE.

Contributor

carols10cents commented Jul 23, 2012

IT IS DONE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment