Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 42

Thread: thank you! - All forums now HTTPS

  1. #11
    Join Date
    Mar 2011
    Location
    Germany
    Posts
    87

    Default Re: thank you! - All forums now HTTPS

    Another thing that came to my mind:
    are there plans to enable SSL for NNTP users too?

    --
    openSUSE Ambassador & Member

    What was that you were saying about Linux being a headache?
    Sorry, I couldn't hear you over the sound of openSUSE being awesome.
    -- Helen South on opensuse-marketing Mailinglist

  2. #12

    Default Re: thank you! - All forums now HTTPS

    Quote Originally Posted by tux93 View Post
    Another thing that came to my mind:
    are there plans to enable SSL for NNTP users too?
    I would really love to, and I have asked about it. From what I was told, this was discussed some time ago, and the problem is that some NNTP clients do not play well with SSL. If you want to put it as a separate thread in this section, I think it might be worth some discussion.

    What I really like about using SSL for NNTP is that we can then require authentication for posting. It would really cut down on the NNTP spam.

  3. #13
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: thank you! - All forums now HTTPS

    Quote Originally Posted by MatthewEhle View Post
    We don't enforce HTTPS for anonymous users, but they should be able to just put the "s" in there and start using it that way if they choose. HSTS is enabled as well, so if you start using HTTPS, it should be enforced by Firefox and Chrom(e|ium).

    For authenticated users, this should be a different story. You ought to have a cookie set that is named "authenticated" if you are logged in. Our ADC looks for that cookie and redirects you to HTTPS if you aren't already using it. Furthermore, the session cookie has the secure flag set, so you really shouldn't be authenticated over a non-secure connection. It seems to have worked very consistently, so I would be interested if you have found a way to "break" it!
    Sorry, for some reason I missed this one.

    I can not completley follow you (lack of technical knowledge), but I guess I do rather normal things and thus when the forums change to HTTPS, I should either be required to do something (which I was not, or did I miss some anouncement?), or it should change painlessly. Now it is painless up until now, but there is no change for me.

    I normaly start he forums by using a Favorite to -http://forums.opensuse.org/- (minus signs by me to avoid interpretation). I then log in there. It is now at -http://forums.opensuse.org/forum.php-

    Then I use RSS feeds on the different forums to see new threads. When I open an entry there it is also no HTTPS.

    Then I get mails to threads I am subscribed to when there is a new post. The links in these emails are all HTTP ones. And they do not change to HTTPs when used.

    I guess this all fits into the category "authenticated users". I tried to find a cookie named "authenticated", but failed. I searched in domains with opensuse (you id not tell which domaiin).

    HTH and I am willing to do some more tests if that helps you. (but tomorrow MET )
    Henk van Velden

  4. #14

    Default Re: thank you! - All forums now HTTPS

    Quote Originally Posted by hcvv View Post
    Sorry, for some reason I missed this one.

    I can not completley follow you (lack of technical knowledge), but I guess I do rather normal things and thus when the forums change to HTTPS, I should either be required to do something (which I was not, or did I miss some anouncement?), or it should change painlessly. Now it is painless up until now, but there is no change for me.

    I normaly start he forums by using a Favorite to -http://forums.opensuse.org/- (minus signs by me to avoid interpretation). I then log in there. It is now at -http://forums.opensuse.org/forum.php-

    Then I use RSS feeds on the different forums to see new threads. When I open an entry there it is also no HTTPS.

    Then I get mails to threads I am subscribed to when there is a new post. The links in these emails are all HTTP ones. And they do not change to HTTPs when used.

    I guess this all fits into the category "authenticated users". I tried to find a cookie named "authenticated", but failed. I searched in domains with opensuse (you id not tell which domaiin).

    HTH and I am willing to do some more tests if that helps you. (but tomorrow MET )
    Do you run any type of extension or setting that blocks cookies by default? Also, what browser do you use?

    The domain for the "authenticated" cookie should be opensuse.org (no subdomain). What's more interesting is that you could even be logged in without being HTTPS. There is a special flag on the session cookie that should keep it from being sent over a non-secure connection.

    If I had to make an educated guess, I would say that you are probably using HTTPS, but your browser is not showing it for some reason. Maybe there is some image or other piece of content that is not being loaded securely, and is causing your browser to not display the page as secure.

  5. #15
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: thank you! - All forums now HTTPS

    Quote Originally Posted by MatthewEhle View Post
    Do you run any type of extension or setting that blocks cookies by default? Also, what browser do you use?

    The domain for the "authenticated" cookie should be opensuse.org (no subdomain). What's more interesting is that you could even be logged in without being HTTPS. There is a special flag on the session cookie that should keep it from being sent over a non-secure connection.

    If I had to make an educated guess, I would say that you are probably using HTTPS, but your browser is not showing it for some reason. Maybe there is some image or other piece of content that is not being loaded securely, and is causing your browser to not display the page as secure.
    I run (of course) Noscript in FF. NoScript show that nothing is blocked in the -forums.opensuse.org- pages.
    During login there are one or two sites blocked (I can specify them tomorrow).

    And I do not allow all cookies. But normaly for anything openSUSE (and Novell, and since some days Attachmate) I allow (at least for session.

    I have 24 cookies from -forums.opensuse.org- and three from -opensuse.org-, one is called lb_opensuse and the other twwo have names of many capital letters and numbers.

    Another observation is that I can change the URL of a forums page (this one e.g.) in FF by adding https:// in front. It then loads the same page, but complete with closed lock symbol in the address field (and the https:// of course). Thus I can switch, but only by force and not at all in daily life.
    Henk van Velden

  6. #16

    Default Re: thank you! - All forums now HTTPS

    Quote Originally Posted by hcvv View Post
    I run (of course) Noscript in FF. NoScript show that nothing is blocked in the -forums.opensuse.org- pages.
    During login there are one or two sites blocked (I can specify them tomorrow).

    And I do not allow all cookies. But normaly for anything openSUSE (and Novell, and since some days Attachmate) I allow (at least for session.

    I have 24 cookies from -forums.opensuse.org- and three from -opensuse.org-, one is called lb_opensuse and the other twwo have names of many capital letters and numbers.

    Another observation is that I can change the URL of a forums page (this one e.g.) in FF by adding https:// in front. It then loads the same page, but complete with closed lock symbol in the address field (and the https:// of course). Thus I can switch, but only by force and not at all in daily life.
    So you may be blocking that "authenticated" cookie from being set, which will keep you from redirecting. However, what really concerns me is that you should be getting the secure flag set on your session cookie (IPCZQX03a36c6c0a), which should prevent you from being authenticated. When you view that cookie, does it indicate that it is valid only for secure connections, or for all connections?

    Also, do you know if you're using IPv6 at all? I should mention that this has not been enabled yet for IPv6.

  7. #17

    Default Re: thank you! - All forums now HTTPS

    Hey, so I tested that scenario, and I'm certain that's what is going on.

    Right now, HTTPS is not available over IPv6. If you are using a dual stack implementation, HTTPS connections will fall back to the IPv4 address. However, it will not be enforced for logged in users if you start off by using the IPv6 address.

    We are trying to get IPv6 over to the new load balancer, which will allow me to accomplish the same thing there.

  8. #18
    dd NNTP User

    Default Re: thank you! - All forums now HTTPS

    On 12/14/2012 09:36 PM, MatthewEhle wrote:
    > It would really cut down on the NNTP spam.


    is there a lot of that?

    i see lots of http spam in the forums, but very seldom have i seen nntp..

    seems to me that most spam spews from sources that know nothing about
    either nntp nor gopher...

    --
    dd

  9. #19
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: thank you! - All forums now HTTPS

    Quote Originally Posted by MatthewEhle View Post
    So you may be blocking that "authenticated" cookie from being set, which will keep you from redirecting. However, what really concerns me is that you should be getting the secure flag set on your session cookie (IPCZQX03a36c6c0a), which should prevent you from being authenticated. When you view that cookie, does it indicate that it is valid only for secure connections, or for all connections?

    Also, do you know if you're using IPv6 at all? I should mention that this has not been enabled yet for IPv6.
    To begin with (reading your next post, my ISP and I are IPv6 ready and enabled. So when that is causing the probblem, it is clear.

    This may now be superfluous, but I promissed to post this:
    I start from a Favorite in KDE of .forums.opensuse.org- and then click "Login", which brings me to -https://login.attachemategroup.com/....................-.
    Using NoScript, Ihave alowed there: -attachemategroup.com-, -novell.com- and -suse.com-.
    I have blocked there: -ajax.googleapis.com-, -demandbase.com- and -typekit.com-.

    Then I have the cookie IPCZ..... end that is for all connection types. This confirms your thoughts I guess.
    Henk van Velden

  10. #20
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: thank you! - All forums now HTTPS

    On 2012-12-14 21:36, MatthewEhle wrote:
    >
    > tux93;2510880 Wrote:
    >> Another thing that came to my mind:
    >> are there plans to enable SSL for NNTP users too?
    >>

    >
    > I would really love to, and I have asked about it. From what I was
    > told, this was discussed some time ago, and the problem is that some
    > NNTP clients do not play well with SSL. If you want to put it as a
    > separate thread in this section, I think it might be worth some
    > discussion.


    Maybe you can setup an experimental server, and ask us to try.
    I wonder if leafnode supports it, as it is old and very little
    supported, if at all.

    > What I really like about using SSL for NNTP is that we can then require
    > authentication for posting. It would really cut down on the NNTP spam.


    Well, there is support for passwords in plain nntp. But of course, the
    password is probably transmitted in the clear and might be sniffed. You
    could perhaps make do with a different password from the Novell one.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith))

Page 2 of 5 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •