SSL is coming - prepare...

[mattmill30]

Quote:

Originally Posted by Mark Rose

XSS is an issue: click this (though HTTPS won't fix this particular one).

You're saying that someone could inject a redirect, and allocate people with workload they don't want?

[Mark Rose]

Quote:

Originally Posted by mattmill30

You're saying that someone could inject a redirect, and allocate people with workload they don't want?

It's easier than that. Just embed an image somewhere.

\ [\cssId{happy}{\style{background-image:url(http://www.mersenne.org/manual_assignment/?cores=1&num_to_get=1&pref=101&exp_lo=&exp_hi=)}{x}}\]

If I removed the space between \ and [ and the beginning of that, everyone who loads this post would start getting assignments. It's that easy.

[chalsall]

Quote:

Originally Posted by Mark Rose

It's that easy.

Yup. And if someone malicious embedded something like this where a non-Primenet user visited, then an Anonymous assignment would be given which wouldn't expire for 180 days.

A bit of an Achilles' heel with Primenet. The good news is once noticed Aaron would be able to filter based on the referrer.

[Mark Rose]

Quote:

Originally Posted by chalsall

Yup. And if someone malicious embedded something like this where a non-Primenet user visited, then an Anonymous assignment would be given which wouldn't expire for 180 days.

A bit of an Achilles' heel with Primenet. The good news is once noticed Aaron would be able to filter based on the referrer.

I'm afraid I created quite a few of those. I have third-party cookies disabled, so I wasn't logged in while figuring out why I wan't getting new assignments at first.

Not having [img] tags made this exercise a little more interesting.

[retina]

Quote:

Originally Posted by Mark Rose

It's easier than that. Just embed an image somewhere.

\[\cssId{happy}{\style{background-image:url(http://www.mersenne.org/manual_assignment/?blahblah)}{x}}\]

If I removed the space between \ and [ and the beginning of that, everyone who loads this post would start getting assignments. It's that easy.

\[\cssId{happy}{\style{background-image:url(http://www.mersenne.org/manual_assignment/?blahblah)}{x}}\]

Does it require JS or something because on my machine it does nothing.

[Madpoo]

Quote:

Originally Posted by mattmill30

What's the rationale for converting the entire site to SSL?

I understand encrypting credentials, but why not offer https which delivers the current site and a http site which includes beneath the username and password boxes a "login securely" link which redirects to a https login screen?

This would save bandwidth and CPU resources for all pages which aren't sensitive.

Is the concern that the session ID or cookies (whichever are used) would be cleartext over a http connection?
Personally, I don't think this is a concern because the website accepts anonymous submissions, so a XSS attack is quite pointless.

Like Mark said, SSL just isn't a big issue nowadays. I'm not saying it's "free" in terms of compute power, but the types of servers out there today don't have problems with it, in general. Put another way, if you have capacity for your current visitors, you probably have enough to encrypt it as well.

Or that could just be me... I build servers with headroom for just such things. There's another mentality in the cloud computing world that you absolutely must run your systems at near 100%, you know, to get your money's worth or whatever. You don't want to pay for a system that's 80%+ idle. So for those folks, doing encryption on the front-end web server would be bad.

The Primenet server should have the CPU headroom. It sometimes has periods of high activity on the DB side of things, but it's in good shape.

Oh, and yes, the main reason is of course to encrypt password info... which could be done by POSTing that to https and calling it good, but then you don't get a happy lock icon in the address bar.

A secondary reason is just that SSL is, for better or worse, how the web is going to work. We'll look back at the http 1.1 days when SSL was optional as being a quaint, archaic system. HTTP/2 with it's (de facto) compulsory security has a lot going for it, and the fact that security is required is simply the way it is.

Google has said they look at security (or lack thereof) as a signal in weighting search relevance too. Primenet/GIMPS is not really dependent on search engines for traffic, although it helps when we get the extra attention and we get new people signing up. There probably will come a day when unsecured sites become the online ghettos.

[Mark Rose]

Quote:

Originally Posted by retina

\[\cssId{happy}{\style{background-image:url(http://www.mersenne.org/manual_assignment/?blahblah)}{x}}\]

Does it require JS or something because on my machine it does nothing.

You just enabled the XSS in your quote!

It takes advantage of the MathTex JS library included on the forum. My guess is that it doesn't work with ancient versions of Firefox.

[retina]

Quote:

Originally Posted by Mark Rose

You just enabled the XSS in your quote!

Okay, I didn't know. Fortunately I neutered it with "blahblah" just in case it did work.

Quote:

Originally Posted by Mark Rose

It takes advantage of the MathTex JS library included on the forum. My guess is that it doesn't work with ancient versions of Firefox.

Ah, so yet another reason eliminate JS. Thanks for your support.

[Madpoo]

I've applied a redirect from http to https for this page:
http://www.mersenne.org/report_milestones/

Of course once you've hit the https version of the site, all links are relative and you'll stay https as you browse around.

The one exception I came across that I need to make sure is NOT redirected is also related to a "canonical" rule I added (so mersenne.org is redirected to www.mersenne.org). It's for v4 clients that still hit a link that doesn't like to be tinkered with.

Once I do fully implement a site-wide SSL redirect, that url would be left alone. Poor v4 clients. I should look again at how much activity that gets... it surprised me last time. Can't believe there are still so many out there.

Anyway, the single page redirect was just to make sure it works. It does.

[Mark Rose]

Once you're redirecting almost everything, don't forget to set the secure flag on the cookie.

[Mark Rose]

Quote:

Originally Posted by Mark Rose

I've updated my fork of mfloop.py and made a pull request to teknohog.

teknohog has merged the changes. If anyone is using mfloop.py, please update.