Moparscape - RSPS Community

Announcements => MoparScape Announcements => Topic started by: Moparisthebest on October 23, 2015, 03:42:57 PM

Title: Mandatory HTTPS!
Post by: Moparisthebest on October 23, 2015, 03:42:57 PM
MoparScape.org has supported TLS/HTTPS for years now, but I've finally flipped the switch and now it is mandatory.  I've also added it to the chrome preload list and enabled the Public-Key-Pins HPKP header so if you've visited the site before, your browser will not allow you to be man-in-the-middled.

If you have any questions, go ahead and ask them, but you really shouldn't notice a difference except maybe a slight increase in speed. :)
Title: Re: Mandatory HTTPS!
Post by: doom_j on October 23, 2015, 03:45:00 PM
Great! Now both irc and site force it. NSA won't be able to read our chats about taking over the government and creating a new one based around the #mopar channel.
Title: Re: Mandatory HTTPS!
Post by: t4 on October 23, 2015, 07:38:53 PM
i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 23, 2015, 07:52:42 PM
i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
Title: Re: Mandatory HTTPS!
Post by: t4 on October 23, 2015, 10:11:19 PM
i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
So you're suggesting that it should be up to the user to enable secure transmissions? What if the user makes a mistake or is unaware (not technically versed)? Why even run the plaintext service if the secure service doesn't generate that much overhead?
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 23, 2015, 11:52:55 PM
i don't understand why people think that a low, even non-existent, probability of being spied on warrants the dismissal of security altogether, especially if it doesn't/hardly inconveniences the end-user.
yeah, because having https be a default, even though optional, feature, instead of being mandatory, is the same thing as a complete dismissal of security :rolleyes:
So you're suggesting that it should be up to the user to enable secure transmissions?
Yes, that is exactly what I'm saying. Or rather, users should be able to disable it if they wish. If the option is there, im pretty sure any modern browser will default to https.
Title: Re: Mandatory HTTPS!
Post by: sini on October 24, 2015, 12:46:24 AM
I thought HTTP 2.0 mandated that SSL be enforced.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on October 24, 2015, 02:54:07 AM
Awesome
Title: Re: Mandatory HTTPS!
Post by: Graham on October 24, 2015, 05:09:57 AM
I thought HTTP 2.0 mandated that SSL be enforced.

The spec doesn't, however, all major browsers only implement HTTP/2 over TLS.
Title: Re: Mandatory HTTPS!
Post by: Lothy on October 25, 2015, 01:48:03 AM
You guys who want it to be optional need to appreciate the benefits of HTTPS-everywhere internet. Namely the gross amount of noise created to assist in obscuring the transmissions of people living under less fortunate regimes.
Title: Re: Mandatory HTTPS!
Post by: Moparisthebest on October 26, 2015, 07:54:03 AM
For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
Title: Re: Mandatory HTTPS!
Post by: Bowser jr on October 26, 2015, 08:15:21 AM
Soon Moparscape will be illegal under the current Cameron regime.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on October 28, 2015, 04:17:51 AM
For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 28, 2015, 08:27:01 PM
No one has an answer to that question because there is no valid answer. These people start with a shitty argument, maybe re-state the shitty argument a bit, make some jokes and/or personal attacks, and then just stop posting. I really don't understand their thought process.. maybe it's government brainwashing??
Maybe it's Maybelline.


For anyone wanting it to be optional I'd ask this honest question, and I really do want an answer:

Why?

I see absolutely no reason for any website to offer http instead https anymore, as far as I can tell there aren't any downsides, and there are a bunch of upsides.  For example HTTP/2, Brotli compression, and probably all new features in the future will only be supported over https anyhow.
Ok, you can ask "Why?", but the exact same can be asked about not supporting HTTP as a fallback. Why? Nobody is denying the upsides of HTTPS here. You can keep it enabled and it'll stay default. But still, I see absolutely no reason for this website (and I do use 'this' on purpose, because some websites should force https) to not offer http as an option if https is already enabled and default. As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"
Title: Re: Mandatory HTTPS!
Post by: t4 on October 28, 2015, 11:32:37 PM
The expired cert problem is a webmaster problem, not a TLS problem. Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security. I don't see any negatives of TLS.
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 29, 2015, 01:14:43 AM
Also, I don't think the content of the data has any bearing of whether or not to implement and enforce security.
Really? I personally believe you need to factor in everything when you weigh the pros/cons of implementing any type of security. Not every worksite needs ID badges and fingerprint scanners if the benefit doesn't outweigh the hassle. Obviously when you deal with more sensitive information, you implement more security, no? We'll just assume you were speaking strictly about TLS though, because like it's been said the hassle is pretty low and probably wont be noticeable if everything goes as it should. So yes, I think it's fair to say there is no reason to not implement SSL.

When you go from 'implement' to 'require' though, you have to reevaluate everything. You say "no negatives", but you listed one right there? If a cert expires, I don't really care whose problem it is, do I? Now it's my problem, because I can't access the website. Sure, it's not "directly" a negative of SSL, it's a negative of inattentiveness. Whatever. If only I had a HTTP version of the site to access in the meantime. So now we have one negative. We wont talk about any others because personally I don't know if the caching or ad-related mixed mode issues are still there. So now we weigh the benefits of enforcing TLS over allowing TLS, taking into account that it is used by default if available. What are those benefits? That's what I haven't heard yet, which why I am not yet convinced that the benefits of enforcing it outweigh even the slightest chance of something like an expired cert.


As a side note, I was getting NGINX errors when trying to access the site early today. What was that?
Title: Re: Mandatory HTTPS!
Post by: Lothy on October 29, 2015, 01:46:57 AM
Dude, if that's your one worry then don't sweat it - the current certificate won't expire until 2017.

Stop prattling, it's unbecoming.
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 29, 2015, 01:57:49 AM
Hey, I said it was a slight chance. But even 0.00001 is greater than 0 if there's no benefit to enforcing over implementing it as a default. Which is what I'm asking about
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on October 29, 2015, 03:13:17 AM
Complaining about https because the cert might expire is like demanding a host support telnet because their ssh support is unreliable and sometimes doesn't let you login (man the 70s were great telnet always worked, none of this encryption shit). It might well be a real problem and you're within your rights to take it up with the host, but it would be foolish to downgrade to telnet.

You're taking a very narrow minded view of this - as people have already stated in multiple topics, the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015. This isn't just about moparscape.
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 29, 2015, 03:56:30 AM
the reason for enforcement is that there's no reason for *any* website to support unencrypted comms in 2015.
I guess I just disagree then. I see nothing wrong with supporting unencrypted comms in -insert year-, if that's what the client has explicitly requested. Whatever, it's done. I'm sure it wont actually cause problems, it's just a principle thing that I disagree with I guess.
Title: Re: Mandatory HTTPS!
Post by: sini on October 29, 2015, 04:42:03 AM
what
does
it
matter
david
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 29, 2015, 01:14:10 PM
Whatever, it's done.
Title: Re: Mandatory HTTPS!
Post by: Moparisthebest on October 30, 2015, 03:52:25 PM
As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"

Actually new Firefox, and soon if not already Chrome and then inevitably other browsers now show a big "THIS CONNECTION IS UNTRUSTED" warning on http. :)  That was actually one of the many reasons to do this.
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 30, 2015, 05:30:26 PM
As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"

Actually new Firefox, and soon if not already Chrome and then inevitably other browsers now show a big "THIS CONNECTION IS UNTRUSTED" warning on http. :)  That was actually one of the many reasons to do this.
Do you have a source for that? I believe that is incorrect. AFAIK that warning shows when you attempt to use https and the site has an invalid cert. I use the latest firefox and never get that warning on http.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on October 30, 2015, 06:24:01 PM
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
https://www.cnet.com/news/chrome-becoming-tool-in-googles-push-for-encrypted-web/

I've always found it a bit bizare that browsers have been letting people browse unencrypted websites with no warning for all these years, but as soon as a website that actually uses encryption presents a bad cert you get a massive fuck off warning about it.

maybe microsoft were way ahead of their time when they had this shit in 1920 or whenever it was:
(http://)
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 30, 2015, 07:22:20 PM
Ok so yeah, it's not on firefox yet.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on October 30, 2015, 08:05:57 PM
oh maybe we should have just waited then, fudge security anyway amirite guys
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 30, 2015, 11:09:35 PM
or maybe you should stop being a sarcastic asshole. i was just factchecking the incorrect statement
Title: Re: Mandatory HTTPS!
Post by: RuneAgent on October 31, 2015, 06:10:45 AM
It should also be noted that google search engine algorithms rank mandatory https higher.
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on October 31, 2015, 01:20:35 PM
I like being able to cache my webpages. My internet is slow as it is especially in my area, having to always load the page isn't really something I'd fancy.

Security over performance, in my case I'd prefer performance.
What area are you in, just out of curiosity
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on October 31, 2015, 02:08:29 PM
I like being able to cache my webpages. My internet is slow as it is especially in my area, having to always load the page isn't really something I'd fancy.

Security over performance, in my case I'd prefer performance.
Is that because you're trying to cache with a proxy? I used to do this on my old network since it was slow as balls.

It is definitely possible to have a proxy server cache https - I did it for a few selected domains (google, youtube, wikipedia). If you wanted to support every website you'd have to setup your own CA on the server, trust it from each machine, and have the server dynamically issue certs for each website you visit. Sounds like a pain in the ass but if you genuinely need a proxy cache that's your only option, since that's the way the internet is moving.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 01, 2015, 07:46:03 AM
I'm not using a proxy, haven't thought about it really. I wouldn't really want to use it though;.
So your browser doesn't cache content served over https? That doesn't sound right at all.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 01, 2015, 10:09:34 AM
I'm not using a proxy, haven't thought about it really. I wouldn't really want to use it though;.
So your browser doesn't cache content served over https? That doesn't sound right at all.
HTTPS does not cache content at all
HTTPS handles caching in the exact same way as HTTP. If your browser isn't caching secure pages then this is because it is *choosing* not to do so. Either change the setting, upgrade, or switch to a better browser.

It may also be the case that certain websites (possibly this one??) are not sending the correct cache control headers over https due to misconfiguration. Again, webmasters problem that needs to be raised with them.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 01, 2015, 11:26:37 AM
No need to apologise, if you want to use old broken tech then the onus is on you when shit goes wrong.

Regardless, IE does cache HTTPS by default provided the server sends the correct headers. If it doesn't, then report it to mitb and I'm sure he'll fix it. If it doesn't work even with the correct headers then report it to microsoft because this is a bug. Your responsibility as an end user doesn't include having to mess around with technical config but all you're doing is old man grumbling if you don't report faults.
Title: Re: Mandatory HTTPS!
Post by: justaguy on November 01, 2015, 11:42:29 AM
Your problem is that you're still using IE.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 01, 2015, 02:01:07 PM
Even so, the cost of using SSL is another downfall for speed. I sometimes browse the site on 3g when I'm on the go, certain places I get E or even GPRS, it's understandable for slow speed however using 3G or poor 4G it's a bit of a wait.
I don't think you should be getting such a big performance hit on mobile. Maybe if the latency is already a few seconds then worse case add a few more for https. If what you're saying is true and not just perceived I bet there are more optimisations to be made on the server (session reuse would help a lot of its not doing it already).

Can you run this to quantify the difference? https://www.httpvshttps.com/ Https was faster for me but I imagine it'll be different on a high latency network.

It would also be interesting to see the results of that on your slow home connection.
Title: Re: Mandatory HTTPS!
Post by: t4 on November 01, 2015, 03:32:35 PM
Even so, the cost of using SSL is another downfall for speed. I sometimes browse the site on 3g when I'm on the go, certain places I get E or even GPRS, it's understandable for slow speed however using 3G or poor 4G it's a bit of a wait.
I don't think you should be getting such a big performance hit on mobile. Maybe if the latency is already a few seconds then worse case add a few more for https. If what you're saying is true and not just perceived I bet there are more optimisations to be made on the server (session reuse would help a lot of its not doing it already).

Can you run this to quantify the difference? https://www.httpvshttps.com/ Https was faster for me but I imagine it'll be different on a high latency network.

It would also be interesting to see the results of that on your slow home connection.
cool test, HTTP is 356% slower than HTTPS for me
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 01, 2015, 03:37:24 PM
yea I got that a couple of times too, probably caching.. it recommends running each test in a fresh session.
Title: Re: Mandatory HTTPS!
Post by: t4 on November 01, 2015, 03:38:50 PM
yea I got that a couple of times too, probably caching.. it recommends running each test in a fresh session.
but HTTPS cannot cache? :confused: :confused: :confused: :confused: :confused: :confused:
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on November 01, 2015, 03:40:29 PM
I definitely trust the results of a website that says "https is faster" in the title before even letting you run the test. It takes me 5 seconds to load 2mb of images? I call bullshit.

yea I got that a couple of times too, probably caching.. it recommends running each test in a fresh session.
It says in the description that it has disabled caching completely on the webserver. (Part of why HTTPS might be faster for some people, they are giving it the best possible circumstances; though I personally suspect they have other settings too)
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 01, 2015, 03:41:13 PM
rofl
Title: Re: Mandatory HTTPS!
Post by: sini on November 01, 2015, 06:29:00 PM
this conversation
Title: Re: Mandatory HTTPS!
Post by: Moparisthebest on November 02, 2015, 07:16:10 AM
As far as I can tell, there aren't any downsides, and it's a good fallback if for some reason we have a cert problem and everyone wont be able to view the site because "THIS CONNECTION IS UNTRUSTED"

Actually new Firefox, and soon if not already Chrome and then inevitably other browsers now show a big "THIS CONNECTION IS UNTRUSTED" warning on http. :)  That was actually one of the many reasons to do this.
Do you have a source for that? I believe that is incorrect. AFAIK that warning shows when you attempt to use https and the site has an invalid cert. I use the latest firefox and never get that warning on http.

I couldn't find a link about firefox doing this, but someone in IRC showed me a screenshot of the latest firefox beta showing this warning on moparscape.org, so I know it's planned at least.

I like being able to cache my webpages. My internet is slow as it is especially in my area, having to always load the page isn't really something I'd fancy.

Security over performance, in my case I'd prefer performance.

Actually HTTPS is faster, due to being able to use SPDY 2/3 instead of HTTP/1.1 on this server, and soon I'll offer HTTP/2 as well (again only over https).  Of course you need a browser that supports those, but any chrome or firefox from the last few years will do.  Also as others have pointed out, http/https cache semantics are identical.
Title: Re: Mandatory HTTPS!
Post by: Justin Bieber on November 03, 2015, 10:25:03 AM
in seriousness, I posted that test so that we could quantify the difference in http/https performance for people having performance problems. because nothing is going to get fixed if we keep saying HTTPS IS FASTR THAN HTTP or HTTP IS FASTER THAN HTTPS. if anyone has a better test then go ahead and post it.
Title: Re: Mandatory HTTPS!
Post by: Moparisthebest on November 03, 2015, 12:37:59 PM
A standard apt-get upgrade pulled in a new minor release of nginx, which for some reason removed spdy and replaced it with http2, so now we have full http2 support for free.

Enjoy!
Title: Re: Mandatory HTTPS!
Post by: t4 on November 03, 2015, 05:59:59 PM
but my browser doesn't support nginx  :confused: :confused: :confused: :confused: :confused:
Title: Re: Mandatory HTTPS!
Post by: Lothy on November 04, 2015, 12:06:01 AM
but my browser doesn't support nginx  :confused: :confused: :confused: :confused: :confused:
Yeah well my network doesn't support networking   :confused: :confused: :confused: :confused: :confused:
Title: Re: Mandatory HTTPS!
Post by: sini on November 04, 2015, 12:57:45 AM
you guys are quality memers
Title: Re: Mandatory HTTPS!
Post by: Tom on November 04, 2015, 10:12:43 AM
A standard apt-get upgrade pulled in a new minor release of nginx, which for some reason removed spdy and replaced it with http2, so now we have full http2 support for free.

Enjoy!

That's some proper exciting news, thanks mopar, I knew waiting 12 years for you to do something would pay off. :D
Title: Re: Mandatory HTTPS!
Post by: Davidi2 on November 04, 2015, 10:45:22 PM
I couldn't find a link about firefox doing this, but someone in IRC showed me a screenshot of the latest firefox beta showing this warning on moparscape.org, so I know it's planned at least.
As far as I can see, the warning shows when using mixed-mode HTTPS, assuming he was referring to the Firefox update that went out in the last couple days. HTTP still doesn't have a warning AFAIK

As of my firefox update today I did get new things:
HTTP: (http://)
Mixed-mode HTTPS: (http://)
Fully-secured HTTPS: (http://)


If that second picture looks like what he showed you, it might've been that there were images on the MPSC page he was looking at that weren't using https. I get that warning still on MPSC even with the enforced HTTPS now that I've linked puush screenshots which isnt using SSL (second picture)
Title: Re: Mandatory HTTPS!
Post by: Bowser jr on November 05, 2015, 01:03:11 PM
Because speed is important on Moparscape.

And I get no conclusive results from HTTPvsHTTPS
Title: Re: Mandatory HTTPS!
Post by: Pwnd on November 05, 2015, 10:36:49 PM
This topic should be locked.