thank you! - All forums now HTTPS

With the increasing hacking and loss of anonyminity across the Internet, I applaud the move to secure all web access to the openSUSE forums with SSL.

Was a suggestion I made long ago in this forum, is a welcome development to ensuring the integrity and privacy accessing Forums.

A suggestion to further prevent information leakage is to ennumerate post IDs instead of using subject lines. This is what Google is now doing “sometimes” instead of inserting query keywords into the URL(well, sometimes it’s still done the old way. Don’t know why).

TSU

On Wed, 12 Dec 2012 03:36:01 +0000, tsu2 wrote:

> With the increasing hacking and loss of anonyminity across the Internet,
> I applaud the move to secure all web access to the openSUSE forums with
> SSL.
>
> Was a suggestion I made long ago in this forum, is a welcome development
> to ensuring the integrity and privacy accessing Forums.

It also simplifies a lot of stuff on the backend, I understand. :slight_smile:

> A suggestion to further prevent information leakage is to ennumerate
> post IDs instead of using subject lines. This is what Google is now
> doing “sometimes” instead of inserting query keywords into the URL(well,
> sometimes it’s still done the old way. Don’t know why).

I’m not sure I follow, but I also don’t know that vBulletin can do this.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I may be a daft end-user, but I am reading this very page, being loged in in the forums, and I do not see any sign of it being HTTPS.

here the address line reads

https://forums.opensuse.org/english/other-forums/forums-feedback/forums-comments-suggestions/481364-thank-you-all-forums-now-https.html

I have:
http://forums.opensuse.org/english/other-forums/forums-feedback/forums-comments-suggestions/481364-thank-you-all-forums-now-https.html#post2510398

I have same as @keellambert. If that’s more secure, then add my thank you for the implementation.

When I use @keellambert’s, I land on the same page (using HTTPS of course).

But when I use the link from the mail send to me because I am subscibed to this thread, it is HTTP. And the other links there (for stopping the subscription, etc.) are also all HTTP.

Thus it seem that there are two parallel worlds now ???

I can add that using the link from my RSS feeds (where I normaly pry for interesting new threads) do give me HTTPS.

Seems to be a sort of mixture. In any case, @tsu2’s remark:

… to secure all web access to the openSUSE forums with SSL.

is only partly true.

On Wed, 12 Dec 2012 14:26:01 +0000, hcvv wrote:

> I can add that using the link from my RSS feeds (where I normaly pry for
> interesting new threads) do give me HTTPS.
>
> Seems to be a sort of mixture. In any case, @tsu2’s remark:
>> … to secure all web access to the openSUSE forums with SSL.
> is only partly true.

Interesting, I’ll check with Matt and see why the http stuff isn’t
redirecting - it was my understanding that it should be.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

We don’t enforce HTTPS for anonymous users, but they should be able to just put the “s” in there and start using it that way if they choose. HSTS is enabled as well, so if you start using HTTPS, it should be enforced by Firefox and Chrom(e|ium).

For authenticated users, this should be a different story. You ought to have a cookie set that is named “authenticated” if you are logged in. Our ADC looks for that cookie and redirects you to HTTPS if you aren’t already using it. Furthermore, the session cookie has the secure flag set, so you really shouldn’t be authenticated over a non-secure connection. It seems to have worked very consistently, so I would be interested if you have found a way to “break” it!

Another thing that came to my mind:
are there plans to enable SSL for NNTP users too?


openSUSE Ambassador & Member

What was that you were saying about Linux being a headache?
Sorry, I couldn’t hear you over the sound of openSUSE being awesome.
– Helen South on opensuse-marketing Mailinglist

I would really love to, and I have asked about it. From what I was told, this was discussed some time ago, and the problem is that some NNTP clients do not play well with SSL. If you want to put it as a separate thread in this section, I think it might be worth some discussion.

What I really like about using SSL for NNTP is that we can then require authentication for posting. It would really cut down on the NNTP spam.

Sorry, for some reason I missed this one.

I can not completley follow you (lack of technical knowledge), but I guess I do rather normal things and thus when the forums change to HTTPS, I should either be required to do something (which I was not, or did I miss some anouncement?), or it should change painlessly. Now it is painless up until now, but there is no change for me.

I normaly start he forums by using a Favorite to -http://forums.opensuse.org/- (minus signs by me to avoid interpretation). I then log in there. It is now at -http://forums.opensuse.org/forum.php-

Then I use RSS feeds on the different forums to see new threads. When I open an entry there it is also no HTTPS.

Then I get mails to threads I am subscribed to when there is a new post. The links in these emails are all HTTP ones. And they do not change to HTTPs when used.

I guess this all fits into the category “authenticated users”. I tried to find a cookie named “authenticated”, but failed. I searched in domains with opensuse (you id not tell which domaiin).

HTH and I am willing to do some more tests if that helps you. (but tomorrow MET :wink: )

Do you run any type of extension or setting that blocks cookies by default? Also, what browser do you use?

The domain for the “authenticated” cookie should be opensuse.org (no subdomain). What’s more interesting is that you could even be logged in without being HTTPS. There is a special flag on the session cookie that should keep it from being sent over a non-secure connection.

If I had to make an educated guess, I would say that you are probably using HTTPS, but your browser is not showing it for some reason. Maybe there is some image or other piece of content that is not being loaded securely, and is causing your browser to not display the page as secure.

I run (of course) Noscript in FF. NoScript show that nothing is blocked in the -forums.opensuse.org- pages.
During login there are one or two sites blocked (I can specify them tomorrow).

And I do not allow all cookies. But normaly for anything openSUSE (and Novell, and since some days Attachmate) I allow (at least for session.

I have 24 cookies from -forums.opensuse.org- and three from -opensuse.org-, one is called lb_opensuse and the other twwo have names of many capital letters and numbers.

Another observation is that I can change the URL of a forums page (this one e.g.) in FF by adding https:// in front. It then loads the same page, but complete with closed lock symbol in the address field (and the https:// of course). Thus I can switch, but only by force and not at all in daily life.

So you may be blocking that “authenticated” cookie from being set, which will keep you from redirecting. However, what really concerns me is that you should be getting the secure flag set on your session cookie (IPCZQX03a36c6c0a), which should prevent you from being authenticated. When you view that cookie, does it indicate that it is valid only for secure connections, or for all connections?

Also, do you know if you’re using IPv6 at all? I should mention that this has not been enabled yet for IPv6.

Hey, so I tested that scenario, and I’m certain that’s what is going on.

Right now, HTTPS is not available over IPv6. If you are using a dual stack implementation, HTTPS connections will fall back to the IPv4 address. However, it will not be enforced for logged in users if you start off by using the IPv6 address.

We are trying to get IPv6 over to the new load balancer, which will allow me to accomplish the same thing there.

On 12/14/2012 09:36 PM, MatthewEhle wrote:
> It would really cut down on the NNTP spam.

is there a lot of that?

i see lots of http spam in the forums, but very seldom have i seen nntp…

seems to me that most spam spews from sources that know nothing about
either nntp nor gopher…


dd

To begin with (reading your next post, my ISP and I are IPv6 ready and enabled. So when that is causing the probblem, it is clear.

This may now be superfluous, but I promissed to post this:
I start from a Favorite in KDE of .forums.opensuse.org- and then click “Login”, which brings me to -https://login.attachemategroup.com/…-.
Using NoScript, Ihave alowed there: -attachemategroup.com-, -novell.com- and -suse.com-.
I have blocked there: -ajax.googleapis.com-, -demandbase.com- and -typekit.com-.

Then I have the cookie IPCZ… end that is for all connection types. This confirms your thoughts I guess.

On 2012-12-14 21:36, MatthewEhle wrote:
>
> tux93;2510880 Wrote:
>> Another thing that came to my mind:
>> are there plans to enable SSL for NNTP users too?
>>
>
> I would really love to, and I have asked about it. From what I was
> told, this was discussed some time ago, and the problem is that some
> NNTP clients do not play well with SSL. If you want to put it as a
> separate thread in this section, I think it might be worth some
> discussion.

Maybe you can setup an experimental server, and ask us to try.
I wonder if leafnode supports it, as it is old and very little
supported, if at all.

> What I really like about using SSL for NNTP is that we can then require
> authentication for posting. It would really cut down on the NNTP spam.

Well, there is support for passwords in plain nntp. But of course, the
password is probably transmitted in the clear and might be sniffed. You
could perhaps make do with a different password from the Novell one.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))