[gentoo-dev] Should Gentoo do https by default?

[gentoo-dev] Should Gentoo do https by default?

[Hanno Böck]

Hi,

Right now a number of Gentoo webpages are by default served over http.
There is a growing trend to push more webpages to default to https,
mostly pushed by google. I think this is a good thing and I think
Gentoo should follow.

Right now we seem to have a mix:
* A number of webpages default to http and have optional https
  (www.gentoo.org)
* Some with sensitive logins are already https by default (e.g.
  bugs.gentoo.org), but they don't use hsts, which they should
* Some with logins are mixed http/login-via-https, which makes them
  vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)

I'd propose the following:
* Make all pages under .gentoo.org https by default
* Make sure all use modern HTTPS features, including:
 * OCSP Stapling
 * HSTS
 * A secure collection of cipher suites
 * (one may add HPKP here, but it requires careful planning and has the
   potential to lock people out of the page if done wrong)
(On the long term I think it would also be good to have downloads over
https, but I'm aware that this is more difficult as it involves mirror
operators that are not under direct control of gentoo infrastructure.)

As I know these discussions, I'll already answer to some
counter-arguments that may come up:

"It's not neccessary to do https on pages without logins"
These kinds of arguments show a fundamental misunderstanding of what
https does. It guarantees confidentiality *and* integrity. In short, it
protects content not only from observation, but also from manipulation,
which is always a good thing. A very practical example is that on some
networks foreign ads get injected into other peoples webpages.

"Makes things slower / servers can't handle it"
The performance costs for TLS on a server are often vastly overstatet.
The performance hit on servers doing https is very close to zero, it
just doesn't matter much.
There are some latency problems for connections, but these can mostly
be wiped out by a sane configuration of the server. If http/2 is used
one can even improve the performance with https.

"Certificates are too expensive"
Gentoo already has certs for all pages, so this is not an argument
here, but if this ever becomes an issue there are a number of CAs these
days that issue free certs. In summer the community based CA Let's
encrypt will start which will be another option.

"CAs are bad and the whole system is broken"
Partly true, but it doesn't get any better if people stick to HTTP.
Many problems of the CA system can be mitigated by modern technologies
like Key Pinning and Certificate Transparency.

I think defaulting the net to HTTPS is a big step for more security and
I think Gentoo should join the trend here.

cu,

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

Re: [gentoo-dev] Should Gentoo do https by default?

[Marc Schiffbauer]

[-- Attachment #1: Type: text/plain, Size: 3224 bytes --]

TL;DR: Yes!

* Hanno Böck schrieb am 27.03.15 um 15:33 Uhr:
>Hi,
>
>Right now a number of Gentoo webpages are by default served over http.
>There is a growing trend to push more webpages to default to https,
>mostly pushed by google. I think this is a good thing and I think
>Gentoo should follow.
>
>Right now we seem to have a mix:
>* A number of webpages default to http and have optional https
>  (www.gentoo.org)
>* Some with sensitive logins are already https by default (e.g.
>  bugs.gentoo.org), but they don't use hsts, which they should
>* Some with logins are mixed http/login-via-https, which makes them
>  vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)
>
>I'd propose the following:
>* Make all pages under .gentoo.org https by default
>* Make sure all use modern HTTPS features, including:
> * OCSP Stapling
> * HSTS
> * A secure collection of cipher suites

-> bettercrypro.org

> * (one may add HPKP here, but it requires careful planning and has the
>   potential to lock people out of the page if done wrong)
>(On the long term I think it would also be good to have downloads over
>https, but I'm aware that this is more difficult as it involves mirror
>operators that are not under direct control of gentoo infrastructure.)

+1

>
>As I know these discussions, I'll already answer to some
>counter-arguments that may come up:
>
>"It's not neccessary to do https on pages without logins"
>These kinds of arguments show a fundamental misunderstanding of what
>https does. It guarantees confidentiality *and* integrity. In short, it
>protects content not only from observation, but also from manipulation,
>which is always a good thing. A very practical example is that on some
>networks foreign ads get injected into other peoples webpages.

ack

>
>"Makes things slower / servers can't handle it"
>The performance costs for TLS on a server are often vastly overstatet.
>The performance hit on servers doing https is very close to zero, it
>just doesn't matter much.
>There are some latency problems for connections, but these can mostly
>be wiped out by a sane configuration of the server. If http/2 is used
>one can even improve the performance with https.

And often a too slow /dev/random is the cuplrit which can be fixed 
by using haveged.

>
>"Certificates are too expensive"
>Gentoo already has certs for all pages, so this is not an argument
>here, but if this ever becomes an issue there are a number of CAs these
>days that issue free certs. In summer the community based CA Let's
>encrypt will start which will be another option.

Or CAs which offer a "Cert Flatrate" for a small fee per year like 
StartSSL.com

>
>"CAs are bad and the whole system is broken"
>Partly true, but it doesn't get any better if people stick to HTTP.
>Many problems of the CA system can be mitigated by modern technologies
>like Key Pinning and Certificate Transparency.
>
>I think defaulting the net to HTTPS is a big step for more security and
>I think Gentoo should join the trend here.

... DNSSEC with TLSA records comes to my mind


-- 
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
             3723 296C 6CCA 35A6 4134

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 173 bytes --]

Re: [gentoo-dev] Should Gentoo do https by default?

[Dirkjan Ochtman]

On Fri, Mar 27, 2015 at 3:33 PM, Hanno Böck <hanno@gentoo.org> wrote:
> I'd propose the following:
> * Make all pages under .gentoo.org https by default
> * Make sure all use modern HTTPS features, including:
>  * OCSP Stapling
>  * HSTS
>  * A secure collection of cipher suites
>  * (one may add HPKP here, but it requires careful planning and has the
>    potential to lock people out of the page if done wrong)
> (On the long term I think it would also be good to have downloads over
> https, but I'm aware that this is more difficult as it involves mirror
> operators that are not under direct control of gentoo infrastructure.)

I'm with you!

Cheers,

Dirkjan

Re: [gentoo-dev] Should Gentoo do https by default?

[Thomas D.]

Hi,

Hanno Böck wrote:
> Right now a number of Gentoo webpages are by default served over http.
> There is a growing trend to push more webpages to default to https,
> mostly pushed by google. I think this is a good thing and I think
> Gentoo should follow.

+1


> Right now we seem to have a mix:
> * A number of webpages default to http and have optional https
>   (www.gentoo.org)
> * Some with sensitive logins are already https by default (e.g.
>   bugs.gentoo.org), but they don't use hsts, which they should
> * Some with logins are mixed http/login-via-https, which makes them
>   vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)

Don't forget the forum (http://forums.gentoo.org/). Even if you connect
to https://forums.gentoo.org/ it will always fall back to HTTP.
Also all the mail notifications will send you to the HTTP version...


-Thomas

Re: [gentoo-dev] Should Gentoo do https by default?

[Robin H. Johnson]

On Fri, Mar 27, 2015 at 06:14:38PM +0100, Thomas D. wrote:
> > Right now we seem to have a mix:
> > * A number of webpages default to http and have optional https
> >   (www.gentoo.org)
> > * Some with sensitive logins are already https by default (e.g.
> >   bugs.gentoo.org), but they don't use hsts, which they should
> > * Some with logins are mixed http/login-via-https, which makes them
> >   vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)
> Don't forget the forum (http://forums.gentoo.org/). Even if you connect
> to https://forums.gentoo.org/ it will always fall back to HTTP.
I can't reproduce this downgrade that you describe; please provide some
steps to show it?

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] Should Gentoo do https by default?

[Rich Freeman]

On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer <mschiff@gentoo.org> wrote:
> * Hanno Böck schrieb am 27.03.15 um 15:33 Uhr:
>>
>>
>> "Certificates are too expensive"
>> Gentoo already has certs for all pages, so this is not an argument
>> here, but if this ever becomes an issue there are a number of CAs these
>> days that issue free certs. In summer the community based CA Let's
>> encrypt will start which will be another option.
>
>
> Or CAs which offer a "Cert Flatrate" for a small fee per year like
> StartSSL.com

As has been pointed out, this is a moot issue for Gentoo.  However,
I'm not aware of anybody who both offers a free certificate and will
let you change your private key if it is compromised free of charge.

StartSSL in fact refuses to revoke certificates even when people
publish their private keys publicly.  If you buy a previously-used
domain you might want to make sure that there isn't a StartSSL
certificate floating around for it which is still valid...

I don't think this has any bearing whatsoever on Gentoo, but it does
annoy me when people say that there are free cert options out there,
when the whole point of having a CA is security and the ones which are
both trusted and free have some pretty horrible security practices.

The current CA system is horribly broken, but not as broken as not
using SSL, or browsers which don't make you click 5 buttons every time
you visit a non-SSL website the way they do when you visit an SSL
website with an untrusted certificate.  :)

--
Rich

Re: [gentoo-dev] Should Gentoo do https by default?

[Diego Elio Pettenò]

On 27 March 2015 at 19:14, Rich Freeman <rich0@gentoo.org> wrote:
>
> StartSSL in fact refuses to revoke certificates even when people
> publish their private keys publicly.  If you buy a previously-used
> domain you might want to make sure that there isn't a StartSSL
> certificate floating around for it which is still valid...

Uh? They don't do it for free, but they do revoke certificate if you pay for it.
xine-project.org has a revoked cert from last year due to heartbleed.

Diego Elio Pettenò — Flameeyes
https://blog.flameeyes.eu/

Re: [gentoo-dev] Should Gentoo do https by default?

[Robin H. Johnson]

On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote:
> Right now a number of Gentoo webpages are by default served over http.
> There is a growing trend to push more webpages to default to https,
> mostly pushed by google. I think this is a good thing and I think
> Gentoo should follow.
Please read my one counter-argument below, as it's not one you refuted.

> Right now we seem to have a mix:
...
> * Some with logins are mixed http/login-via-https, which makes them
>   vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)
Are you sure about this? Everything on wiki should always redirect to SSL very early.

> I'd propose the following:
> * Make all pages under .gentoo.org https by default
Enabled for the following sites now (copied from cfengine commit):
 files/etc/apache2/vhosts.d/sites/ads/01_ads.gentoo.org.conf                   | 6 ++++++
 files/etc/apache2/vhosts.d/sites/api/api.gentoo.org.conf                      | 6 ++++++
 files/etc/apache2/vhosts.d/sites/archives/30_archives.gentoo.org.conf         | 6 ++++++
 files/etc/apache2/vhosts.d/sites/blogs/35_blogs.gentoo.org.conf               | 6 ++++++
 files/etc/apache2/vhosts.d/sites/devmanual/35_devmanual.gentoo.org.conf       | 6 ++++++
 files/etc/apache2/vhosts.d/sites/forums/01_forums.gentoo.org.conf             | 6 ++++++
 files/etc/apache2/vhosts.d/sites/get/36_get.gentoo.org.conf                   | 6 ++++++
 files/etc/apache2/vhosts.d/sites/infra-status/40_infra-status.gentoo.org.conf | 6 ++++++
 files/etc/apache2/vhosts.d/sites/mirrorstats/20_mirrorstats.gentoo.org.conf   | 6 ++++++
 files/etc/apache2/vhosts.d/sites/packages/packages.gentoo.org.conf            | 6 ++++++
 files/etc/apache2/vhosts.d/sites/planet/40_planet.gentoo.org.conf             | 6 ++++++
 files/etc/apache2/vhosts.d/sites/qa-reports/36_qa-reports.gentoo.org.conf     | 6 ++++++
 files/etc/apache2/vhosts.d/sites/sources/30_sources.gentoo.org.conf           | 6 ++++++
 files/etc/apache2/vhosts.d/sites/www/www.gentoo.org.conf                      | 6 ++++++
 14 files changed, 84 insertions(+)

> * Make sure all use modern HTTPS features, including:
>  * OCSP Stapling
SSLUseStapling is Apache 2.3+ only, and that isn't stable yet.

>  * HSTS
It's coming already, you can see it on security.gentoo.org.

>  * A secure collection of cipher suites
What's wrong with our present Ciphers?
https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org
We have them configured per:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on
SSLCompression off 

>  * (one may add HPKP here, but it requires careful planning and has the
>    potential to lock people out of the page if done wrong)
Too risky at this point.

> (On the long term I think it would also be good to have downloads over
> https, but I'm aware that this is more difficult as it involves mirror
> operators that are not under direct control of gentoo infrastructure.)
This is why we published signatures on as much as we can.

> As I know these discussions, I'll already answer to some
> counter-arguments that may come up:
Users behind firewalls that block HTTPS are now going to be blocked from Gentoo
services.

Last time we proposed going HTTPS-by-default, there was complaint from users
that were going to be locked out.

I've turned it on anyway now, and want them to come out of the woodwork to
refute you that we're ready for HTTPS-by-default.

> "Certificates are too expensive"
> Gentoo already has certs for all pages, so this is not an argument
> here, but if this ever becomes an issue there are a number of CAs these
> days that issue free certs. In summer the community based CA Let's
> encrypt will start which will be another option.
We're still limited when it comes to services that need wildcards for the
service. We have one such presently, and I hope we don't get more:
Bugzilla, for attachments. (which are served at a different hostname that can't
access your base bugzilla cookies even the attachment contains javascript that
runs).

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] Should Gentoo do https by default?

[Hanno Böck]

On Fri, 27 Mar 2015 19:18:24 +0000
"Robin H. Johnson" <robbat2@gentoo.org> wrote:

> > * Some with logins are mixed http/login-via-https, which makes them
> >   vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)
> Are you sure about this? Everything on wiki should always redirect to
> SSL very early.

Sure about what?
When I call the wiki page I currently get:
http://wiki.gentoo.org/wiki/Main_Page

Clicking on login will redirect to https, but at that point an attacker
is already able to change this link.

> Enabled for the following sites now (copied from cfengine commit):

Great. (However I don't see that yet live - server restart needed or is
there some deployment process that has to happen first?)

> > * Make sure all use modern HTTPS features, including:
> >  * OCSP Stapling
> SSLUseStapling is Apache 2.3+ only, and that isn't stable yet.

That's unfortunate, apache 2.2 is pretty outdated when it
comes to tls security.

> >  * A secure collection of cipher suites
> What's wrong with our present Ciphers?

Haven't checked them in detail, looks mostly fine. One issue: DH
ciphers with a small modulus (1024 bit). But that's unfixable within
apache 2.2, so same as above.

> > (On the long term I think it would also be good to have downloads
> > over https, but I'm aware that this is more difficult as it
> > involves mirror operators that are not under direct control of
> > gentoo infrastructure.)
> This is why we published signatures on as much as we can.

Yes, signatures are fine, but realistically they require manual
intervention and not everyone will do that. Defaulting to https is a
very usable way to make malicious downloads less likely. Signatures
should stay as an additional protection measure.

> Users behind firewalls that block HTTPS are now going to be blocked
> from Gentoo services.
> 
> Last time we proposed going HTTPS-by-default, there was complaint
> from users that were going to be locked out.

I would be very surprised if this is an issue any more.

These days pretty much all big players use https only (google,
facebook, twitter, github, ...). You can't really use the
mainstream internet if your firewall blocks https.

> We're still limited when it comes to services that need wildcards for
> the service. We have one such presently, and I hope we don't get more:
> Bugzilla, for attachments. (which are served at a different hostname
> that can't access your base bugzilla cookies even the attachment
> contains javascript that runs).

I have hopes that Let's encrypt will also allow free wildcards, but
that seems to be undecided yet.
But wildcards aren't super-expensive. One can e.g. get a validation by
startssl for an unlimited number of wildcards for a year, I don't
remember the exact price but it was in the 100-200$ range.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

Re: [gentoo-dev] Should Gentoo do https by default?

[Hanno Böck]

On Fri, 27 Mar 2015 15:14:02 -0400
Rich Freeman <rich0@gentoo.org> wrote:

> As has been pointed out, this is a moot issue for Gentoo.  However,
> I'm not aware of anybody who both offers a free certificate and will
> let you change your private key if it is compromised free of charge.

I think wosign does.
Haven't tested, but discussion on hacker news indicates revocation is
free [1].

And yes, the startssl behaviour regarding revocation is not good...


[1] https://news.ycombinator.com/item?id=8982013

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

Re: [gentoo-dev] Should Gentoo do https by default?

[Robin H. Johnson]

On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote:
> >"Certificates are too expensive"
> >Gentoo already has certs for all pages, so this is not an argument
> >here, but if this ever becomes an issue there are a number of CAs these
> >days that issue free certs. In summer the community based CA Let's
> >encrypt will start which will be another option.
> Or CAs which offer a "Cert Flatrate" for a small fee per year like 
> StartSSL.com
Please don't promote StartSSL with their excessive demands for personal
information:
https://www.startssl.com/?app=34
Passport AND (Drivers License or National ID)

To be able to issue certs from them, EACH person in an organization
needs to comply with that "Identity Validation", and the organization
validation is on top of that:
https://www.startssl.com/?app=35

How many people here would willingly send this level of detail to
somebody in a foreign country? Does your home country not have strict
regulations about who can keep a copy of this information (retaining
this information is mostly prohibited by my local laws).

We're with DigiCert instead, where only the organization was verified.
They also have a good API for generating certificates, which was
invaluable during the Heartbleed certificate switchover.

> >I think defaulting the net to HTTPS is a big step for more security and
> >I think Gentoo should join the trend here.
> ... DNSSEC with TLSA records comes to my mind
I proposed TLSA on the lists last year, and got very few takers.
DNSSEC has been in place for years already.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

Re: [gentoo-dev] Should Gentoo do https by default?

[Rich Freeman]

On Fri, Mar 27, 2015 at 3:15 PM, Diego Elio Pettenò
<flameeyes@flameeyes.eu> wrote:
> On 27 March 2015 at 19:14, Rich Freeman <rich0@gentoo.org> wrote:
>>
>> StartSSL in fact refuses to revoke certificates even when people
>> publish their private keys publicly.  If you buy a previously-used
>> domain you might want to make sure that there isn't a StartSSL
>> certificate floating around for it which is still valid...
>
> Uh? They don't do it for free, but they do revoke certificate if you pay for it.
> xine-project.org has a revoked cert from last year due to heartbleed.

That was basically my point.  There aren't any free options which are
secure (that I'm aware of).  There are options which cost money which
are secure, including StartSSL.  It just annoys me when people trot
them out as an example of why SSL certificate costs aren't a problem.
You can debate whether not having secure free options matters or not,
but you can't argue that StartSSL is a secure free option.

-- 
Rich

Re: [gentoo-dev] Should Gentoo do https by default?

[Dirkjan Ochtman]

On Fri, Mar 27, 2015 at 8:29 PM, Hanno Böck <hanno@gentoo.org> wrote:
>> SSLUseStapling is Apache 2.3+ only, and that isn't stable yet.
>
> That's unfortunate, apache 2.2 is pretty outdated when it
> comes to tls security.

Please help with the blockers for 2.4 stabilization!

Cheers,

Dirkjan

Re: [gentoo-dev] Should Gentoo do https by default?

[Vladimir Smirnov]

Just my 5c:

On Fri, 27 Mar 2015 19:18:24 +0000
"Robin H. Johnson" <robbat2@gentoo.org> wrote:


> 
> > * Make sure all use modern HTTPS features, including:
> >  * OCSP Stapling
> SSLUseStapling is Apache 2.3+ only, and that isn't stable yet.

You can always set up Nginx, if not instead, but at least in front of the Apache and hand over SSL handling to it.

Re: [gentoo-dev] Should Gentoo do https by default?

[Alexander Berntsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

+1 for everything.

- -- 
Alexander
bernalex@gentoo.org
https://secure.plaimi.net/~alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlUWwDgACgkQRtClrXBQc7XyRQEAh2fJrr9aW9kLLa+a4hmwOT80
2ucx01RUq2IGmm9P7kMA/2o/rh46QX8xrAn5lbHtjqcy3y8NjW2gKsrg9QYATrHy
=Uddl
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Should Gentoo do https by default?

[Sebastian Pipping]

On 27.03.2015 15:33, Hanno Böck wrote:
> I think defaulting the net to HTTPS is a big step for more security and
> I think Gentoo should join the trend here.

Yes please!



Sebastian

Re: [gentoo-dev] Should Gentoo do https by default?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 531 bytes --]

Dnia 2015-03-27, o godz. 15:33:15
Hanno Böck <hanno@gentoo.org> napisał(a):

> I think defaulting the net to HTTPS is a big step for more security and
> I think Gentoo should join the trend here.

While I don't mind this entirely, we need to make sure to get things
right. For example, I'm quite unhappy being unable to use Forums or
sources.g.o from my phone because of some SSL issues… Do you really
believe serving content insecurely is worse than serving no content
at all?

-- 
Best regards,
Michał Górny

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-dev] Should Gentoo do https by default?

[Hanno Böck]

[-- Attachment #1: Type: text/plain, Size: 744 bytes --]

On Sun, 29 Mar 2015 16:46:05 +0200
Michał Górny <mgorny@gentoo.org> wrote:

> While I don't mind this entirely, we need to make sure to get things
> right. For example, I'm quite unhappy being unable to use Forums or
> sources.g.o from my phone because of some SSL issues…

Can you be more specific on that? Of course if there are problems we
should fix them - and I'm glad to help in analyzing those.
(However there are some unfortunate issues that are hard to fix, e.g.
some devices relying on broken protocols like sslv3 - but I think these
should be rare)

What phone? Should we move such issues to bugzilla? (cc me if you open
a bug)

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] Should Gentoo do https by default?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1171 bytes --]

Dnia 2015-03-29, o godz. 18:50:17
Hanno Böck <hanno@gentoo.org> napisał(a):

> On Sun, 29 Mar 2015 16:46:05 +0200
> Michał Górny <mgorny@gentoo.org> wrote:
> 
> > While I don't mind this entirely, we need to make sure to get things
> > right. For example, I'm quite unhappy being unable to use Forums or
> > sources.g.o from my phone because of some SSL issues…
> 
> Can you be more specific on that? Of course if there are problems we
> should fix them - and I'm glad to help in analyzing those.
> (However there are some unfortunate issues that are hard to fix, e.g.
> some devices relying on broken protocols like sslv3 - but I think these
> should be rare)
> 
> What phone? Should we move such issues to bugzilla? (cc me if you open
> a bug)

Xperia X10 Mini, with ancient Android 2.1.

bugs.gentoo.org works, though it complains about hostname mismatch (I
guess it doesn't handle wildcard certs or sth).

forums.gentoo.org, sources.gentoo.org it first complains about
untrusted issuer, and after telling it to configure tries a bit more
and gives 'Unable to connect to server, try again later.'

-- 
Best regards,
Michał Górny

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-dev] Should Gentoo do https by default?

[James Le Cuirot]

[-- Attachment #1: Type: text/plain, Size: 879 bytes --]

On Sun, 29 Mar 2015 19:23:51 +0200
Michał Górny <mgorny@gentoo.org> wrote:

> Xperia X10 Mini, with ancient Android 2.1.
> 
> bugs.gentoo.org works, though it complains about hostname mismatch (I
> guess it doesn't handle wildcard certs or sth).

Not exactly, it can't handle servers with more than one SSL certificate
per IP. A wildcard certificate probably would work. Android 2.3
(Gingerbread) is the last release and probably the only OS of any
significant concern to not support SNI at all. Even XP does with
certain browsers.

I know that particular phone and to be fair, it's pretty poor. That
240x320 screen surely hurts your eyes. ;) You could probably pick up
something better for nothing. That phone can also be rooted quite
easily (I've done it) and then flashed with something more recent.

-- 
James Le Cuirot (chewi)
Gentoo Linux Developer

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 951 bytes --]

Re: [gentoo-dev] Should Gentoo do https by default?

[Dean Stephens]

On 03/27/15 15:29, Hanno Böck wrote:
> These days pretty much all big players use https only (google,
> facebook, twitter, github, ...). You can't really use the
> mainstream internet if your firewall blocks https.
> 
Can we please stop making stuff up[1] just to make an argument seem
stronger to the overly credulous?

[1] http://www.google.com/search?q=this+is+not+impossible&gws_rd=ssl

Re: [gentoo-dev] Should Gentoo do https by default?

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

On Mon, Mar 30, 2015 at 8:58 PM, Dean Stephens <desultory@gentoo.org> wrote:

> On 03/27/15 15:29, Hanno Böck wrote:
> > These days pretty much all big players use https only (google,
> > facebook, twitter, github, ...). You can't really use the
> > mainstream internet if your firewall blocks https.
> >
> Can we please stop making stuff up[1] just to make an argument seem
> stronger to the overly credulous?


I agree his argument is bogus (plenty of the internet is http) but relying
on undocumented query arguments to prevent ssl redirection is...not really
the example I'd chose to use to illustrate the point.


> [1] http://www.google.com/search?q=this+is+not+impossible&gws_rd=ssl

[-- Attachment #2: Type: text/html, Size: 1300 bytes --]