News:

Simutrans.com Portal
Our Simutrans site. You can find everything about Simutrans from here.

https for the forum

Started by prissi, November 22, 2015, 07:39:52 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

prissi

Currently https:/forum.simutrans.com leads to an non https interesting entry page (probably the 404 for this server?)

Given that we also use passwords, private messages and stuff, maybe it is time to do this as thhps; Because there is no the Let's encrypt small revolution, which turns a Linux apache or Ngix served domain (like forum.simutrans.com) into https with absolutely minimal action, including a free certificates, certificate reneval etc. (See https://letsencrypt.org/ ) It require one small tool (which must run as root), but is open software.

Essentially, after downloading the python script from git, there is only one action needed: "letsencrypt run" on the commandline. See here: https://letsencrypt.org/howitworks/

Maybe this is something we should consider doing too. In germany the c't magazine (Europe biggest subscribed computer magazine) promotes this, even though it is still beta on the website.

Ters

Quote from: prissi on November 22, 2015, 07:39:52 PM
Currently https:/forum.simutrans.com leads to an non https interesting entry page (probably the 404 for this server?)

Looks more like the "I don't know what server you were trying to reach" page for our hoster.

I fail to see why letsencrypt requires root access, except for its automatic server reconfiguration (which I wouldn't trust for anything). I'm also a bit surprised that they give out certificates for free and so easily, when it was my understanding that proving that one really is who one says, is very complicated in order to be trustworthy. If this really is trustworthy, every other CA should be out of business in an instance.

Another question is whether we should require HTTPS. If we don't, few would probably use it. If we do, we might make ourselves unreachable from certain countries that don't like not seeing what their citizens do online. I read somewhere that the latter turned out to be a problem for Wikipedia.

Isaac Eiland-Hall

I have been eagerly awaiting LetsEncrypt. They were originally supposed to be live in summer 2015, but obviously delayed. The open beta starts in a couple of weeks. I've been signed up for closed beta for a while, but never have gotten invited.

As soon as I'm able to get certificates, I'll be adding them. :) (But I couldn't afford the yearly cost until now)

Quote from: Ters on November 22, 2015, 08:47:14 PM
I'm also a bit surprised that they give out certificates for free and so easily, when it was my understanding that proving that one really is who one says, is very complicated in order to be trustworthy. If this really is trustworthy, every other CA should be out of business in an instance.

When https was first rolled out, it was envisioned for rare events - a credit card purchase, for example. But these days, we've realized that any site that requires a password should use it. The philosophy is that this latter usage is more important - that it doesn't so much matter who the server is, but rather to provide a secure connection. Also, it's not a good way of preventing attacks on the web - that certificate authorities don't have the resources or methods to keep track of who is illegitimate.

Google and Firefox track malware sites; and LetsEncrypt will prevent issuing a certificate to any site on that list - which seems logical to me.

DrSuperGood

Does one need such security? Yes your Simutrans account might be compromised, the hackers might do... Uhhh... Post naughty messages with it!

As far as I am aware this site is and should not be dealing with very sensitive information , the kind of information that requires decent security.

I would advise enabling https for people who want to feel secure, but beyond that no further actions with http still used. Maybe put up a banner if people use http recommending the "more secure" https protocol but more than that really is not needed.

The worst case scenario would probably be the compromise of an admin account giving advertisement robots a free run at the site until the server owners manually override the account. This would be solved with https since the admins and mods should know of that and be using it over the then "obsolete" http.

prissi

The script needs root access, because in order to get the automatic certificate, the must access the web server settings, save files in /etc (the certifiacte key), and (most important) to automatically prove your control the server for the free (because automatic) free certificate you have to show a specific file with a specific message to the server of the CA.

The idea between https for everything is first to make the web more save. CUrrently https for everything is hard, because a lot of ads are not https. Also people do not pay much attention to certifictes at all, and (yes even I) people do reuse passwords. Not to mention that any encrypted server will make it harder for the good(? you favorite secret service) as well the bad(the phisher next door, or the great firewall of a less developed dictator) to filter the traffic. There are even more reasons, but these may be the main.

And the best is: I comes without any disadvantage for the user.

About the beta static: You do not have to wait (at least according the the magazine), you can just download the software from git directly. (Means of course that there must be git in the server.)

Ters

Quote from: Isaac.Eiland-Hall on November 22, 2015, 09:31:22 PM
When https was first rolled out, it was envisioned for rare events - a credit card purchase, for example. But these days, we've realized that any site that requires a password should use it. The philosophy is that this latter usage is more important - that it doesn't so much matter who the server is, but rather to provide a secure connection. Also, it's not a good way of preventing attacks on the web - that certificate authorities don't have the resources or methods to keep track of who is illegitimate.

The certificate is the only thing ensuring me that it's my bank I log into, and not some site made to look like it and steal all my money. If all you need is to encrypt the communication without caring who is on the other side, you can just use self-signed certificates. However, without confirmation that the other side isn't someone else, encryption is pointless.

Quote from: prissi on November 22, 2015, 10:50:37 PM
The script needs root access, because in order to get the automatic certificate, the must access the web server settings, save files in /etc (the certifiacte key), and (most important) to automatically prove your control the server for the free (because automatic) free certificate you have to show a specific file with a specific message to the server of the CA.

Their technical documentation page does not describe that the "prove you own the server" needs to be automatic. And what if I don't want to put my certificates in /etc? What if I don't have root access, but only access to the web server configuration files and the directory containing the web pages?

Isaac Eiland-Hall

Quote from: Ters on November 23, 2015, 06:26:13 AMIf all you need is to encrypt the communication without caring who is on the other side, you can just use self-signed certificates. However, without confirmation that the other side isn't someone else, encryption is pointless.

And self-signed certificates pop up a warning in the browser that scares people.

And encryption is not pointless: http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/

Also: http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/

Quote from: prissi on November 22, 2015, 10:50:37 PM
About the beta static: You do not have to wait (at least according the the magazine), you can just download the software from git directly. (Means of course that there must be git in the server.)

I have trouble with this because of the secured environment I've set up, alas. But it won't be long until the beta is opened anyway. :)

Quote from: DrSuperGood on November 22, 2015, 09:37:55 PM
Does one need such security? Yes your Simutrans account might be compromised, the hackers might do... Uhhh... Post naughty messages with it!

As far as I am aware this site is and should not be dealing with very sensitive information , the kind of information that requires decent security.

I would advise enabling https for people who want to feel secure, but beyond that no further actions with http still used. Maybe put up a banner if people use http recommending the "more secure" https protocol but more than that really is not needed.

The worst case scenario would probably be the compromise of an admin account giving advertisement robots a free run at the site until the server owners manually override the account. This would be solved with https since the admins and mods should know of that and be using it over the then "obsolete" http.

Many users reuse passwords across multiple sites. It's quite possible that someone might reuse a banking password that got captured and used. Your worst case scenario is most definitely not the worst case scenario by any means. I frankly don't feel like trying to write up a real worst case scenario, but there are lots of personal details in the database that would not do well to be exposed. And nevermind someone logging in as admin and putting ads or making posts, but how about deleting all of the forum?

And nobody has suggested the forcible use of https, nor will it be done; at least certainly not in the foreseeable future.

Ters

Quote from: Isaac.Eiland-Hall on November 23, 2015, 02:35:02 PM
And self-signed certificates pop up a warning in the browser that scares people.
That's because they haven't said that they trust it, nor does anyone they trust trust it. I don't fully trust letsencrypt's way of trusting people.

Quote from: Isaac.Eiland-Hall on November 23, 2015, 02:35:02 PM
And encryption is not pointless: http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
It is if you are using an encryption key you've got from Mr. Maninthemiddle and not from whoever you wanted to communicate with. SSL does make it a bit harder to snoop of the traffic, since you need to do some preparations. I wish there were clear levels of security, but I suspect people wouldn't understand them. There are actually two security levels for certificates, but the way browser show the difference is rather subtle.

Quote from: Isaac.Eiland-Hall on November 23, 2015, 02:35:02 PM
Many users reuse passwords across multiple sites. It's quite possible that someone might reuse a banking password that got captured and used. Your worst case scenario is most definitely not the worst case scenario by any means. I frankly don't feel like trying to write up a real worst case scenario, but there are lots of personal details in the database that would not do well to be exposed. And nevermind someone logging in as admin and putting ads or making posts, but how about deleting all of the forum?

And nobody has suggested the forcible use of https, nor will it be done; at least certainly not in the foreseeable future.
The problem is that those that reuse password are likely to not be one of those opting in for HTTPS.

Isaac Eiland-Hall

I was wrong on one point, not directly related to the debate on the subject: Apparently, with the switch from CentOS to CloudLinux, I gained git along the way.

Also, I received word today that my beta access was approved — though I signed up with panamacitypc.com, so I don't know if I'll be able to add other domains; but hopefully so. Either way, it looks like it from the documentation.

Meanwhile, though, trying to install letsencrypt and it's currently complaining about the python version. So I'm in research mode.

I'm going to try and work on getting it installed; if I'm able to, I'll start testing on hopefully a less important domain on the server. It seems that there may be some debate over whether or not to roll it out to be available on Simutrans sites, if it indeed becomes available. I can state conclusively that I will not force it on anyone, though, for sure. Certainly not at this time (who knows what happens years/decades from now; that's all I mean by "at this time"; I currently see no reason to force it at this time for for the foreseeable).

And if nothing else, thank you to Ters for posting so I could be lazy and make a new reply that wouldn't be a doublepost. ;-)

Isaac Eiland-Hall

The LE client didn't compile, complaining about the version of python. I did more reading — a lot of threads on the LE website — and, long story short, I'm holding off for now. Often times, "beta" means "It's pretty darned functional, we just haven't ironed out all the bugs", but in this case, it really means "we have it working on a couple of setups, but a long long way to go". So I think it may be a little while before I can get it running.

Your patience is desired, those of you who want this badly. :)

captain crunch

This seems to be working now.
Edit: The topmost logo is not loaded, as its URI protocol is still http.