SSL is coming - prepare...

Madpoo · 2017-01-21, 03:01

Hi all,

The Primenet server has SSL on it now. For the moment it's not being forced, but the goal is to switch traffic to SSL as soon as possible.

We realize that some of you use bots to grab stats directly from different pages so I wanted to be sure and mention the SSLization in advance so you can prepare and test.

There are also some proxies out there that fetch assignments/return results and those should also be checked to make sure they play nice with SSL.

I'm not sure what the rollout will look like exactly... I may start out by redirecting to https on the home page (at which point future clicks to links from there are all protocol relative). That will get some ssl flowing while still allowing the bots/proxies to work under http while they get things tested.

If you have questions or your particular usage isn't working well with SSL, you can reply here and let me know. I can try to help you through whatever issue, but ultimately I hope you're able to get your scripts or whatever working with the secure pages.

0PolarBearsHere · 2017-01-22, 06:29

My quick test with curl appears to have worked just by changing the protocol to https. Either that or it redirected back to http. I should probably view the raw output.

chalsall · 2017-01-22, 23:18

Quote:

Originally Posted by Madpoo

There are also some proxies out there that fetch assignments/return results and those should also be checked to make sure they play nice with SSL.

OK, GPU72's proxy is now using the PrimeNet SSL connection (required one additional REGEX line), and its observation spider is also (required one additional character).

Now let's hope that Mike gets https://www.MersenneForum.org/ operational....

Madpoo · 2017-01-24, 03:49

Quote:

Originally Posted by 0PolarBearsHere

My quick test with curl appears to have worked just by changing the protocol to https. Either that or it redirected back to http. I should probably view the raw output.

There isn't anything on the server that would redirect to/from http or https so hopefully that means you're a-ok.

That's good... maybe this weekend (or if I have a few free hours some night) I can enable an http -> https redirect and see how things go for a day or two... sometimes the way to find out who is using undocumented "features" or using an unknown method is to just change it and see who complains.

Mark Rose · 2017-01-24, 20:23

I've updated my fork of mfloop.py and made a pull request to teknohog.

chalsall · 2017-01-24, 21:04

Quote:

Originally Posted by Madpoo

T...sometimes the way to find out who is using undocumented "features" or using an unknown method is to just change it and see who complains.

We haven't yet heard from Scott father of MISFIT.

Also, just because the downloadable code is updated doesn't mean the deployed code is.

Step carefully, and listen even more closely....

LaurV · 2017-01-25, 06:46

Scott is a busy guy who doesn't read these threads. PM him or write in the Misfit service thread, he is famous for fixing the bugs before we report them in that thread...

Madpoo · 2017-01-26, 15:50

Quote:

Originally Posted by LaurV

Scott is a busy guy who doesn't read these threads. PM him or write in the Misfit service thread, he is famous for fixing the bugs before we report them in that thread...

I emailed him already right after the cert was installed and he said he'd be trying it out.

I don't know the current status of his tests... Misfit hits at least one custom page for assignments/results so at the very least I could make sure those don't get a redirect until I hear back.

chalsall · 2017-01-26, 17:37

Quote:

Originally Posted by Madpoo

I emailed him already right after the cert was installed and he said he'd be trying it out.

I also just emailed him giving this thread.

mattmill30 · 2017-01-27, 12:15

What's the rationale for converting the entire site to SSL?

I understand encrypting credentials, but why not offer https which delivers the current site and a http site which includes beneath the username and password boxes a "login securely" link which redirects to a https login screen?

This would save bandwidth and CPU resources for all pages which aren't sensitive.

Is the concern that the session ID or cookies (whichever are used) would be cleartext over a http connection?
Personally, I don't think this is a concern because the website accepts anonymous submissions, so a XSS attack is quite pointless.

Mark Rose · 2017-01-27, 15:47

Browsers are already starting showing warnings when sites are loaded over HTTP. The overhead of HTTPS was a big deal fifteen years ago but is minimal today.

XSS is an issue: click this (though HTTPS won't fix this particular one).

2017-01-21, 03:01	#1
Madpoo Serpentine Vermin Jar Jul 2014 5·677 Posts	SSL is coming - prepare... Hi all, The Primenet server has SSL on it now. For the moment it's not being forced, but the goal is to switch traffic to SSL as soon as possible. We realize that some of you use bots to grab stats directly from different pages so I wanted to be sure and mention the SSLization in advance so you can prepare and test. There are also some proxies out there that fetch assignments/return results and those should also be checked to make sure they play nice with SSL. I'm not sure what the rollout will look like exactly... I may start out by redirecting to https on the home page (at which point future clicks to links from there are all protocol relative). That will get some ssl flowing while still allowing the bots/proxies to work under http while they get things tested. If you have questions or your particular usage isn't working well with SSL, you can reply here and let me know. I can try to help you through whatever issue, but ultimately I hope you're able to get your scripts or whatever working with the secure pages.

2017-01-22, 06:29	#2
0PolarBearsHere Oct 2015 2×7×19 Posts	My quick test with curl appears to have worked just by changing the protocol to https. Either that or it redirected back to http. I should probably view the raw output. Last fiddled with by 0PolarBearsHere on 2017-01-22 at 06:31

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Big milestone coming up	schickel	Aliquot Sequences	8	2011-07-29 10:54
Mersenne BOINC coming?	frmky	Software	27	2011-02-20 08:52
Dark times may be coming...?	OmbooHankvald	mersennewiki	10	2005-10-24 06:26
And the hits just keep on coming.....	R.D. Silverman	Factoring	13	2005-10-04 10:02
Coming to a DC project near you P4 2.4B/GA8SQ800 /pc3200	dragongoddess	Hardware	0	2003-03-22 15:49

2017-01-24, 20:23	#5
Mark Rose "/X\(‘-‘)/X\" Jan 2013 3106₁₀ Posts	I've updated my fork of mfloop.py and made a pull request to teknohog.

2017-01-25, 06:46	#7
LaurV Romulan Interpreter "name field" Jun 2011 Thailand 3·23·149 Posts	Scott is a busy guy who doesn't read these threads. PM him or write in the Misfit service thread, he is famous for fixing the bugs before we report them in that thread...

2017-01-27, 12:15	#10
mattmill30 Aug 2015 46₁₀ Posts	What's the rationale for converting the entire site to SSL? I understand encrypting credentials, but why not offer https which delivers the current site and a http site which includes beneath the username and password boxes a "login securely" link which redirects to a https login screen? This would save bandwidth and CPU resources for all pages which aren't sensitive. Is the concern that the session ID or cookies (whichever are used) would be cleartext over a http connection? Personally, I don't think this is a concern because the website accepts anonymous submissions, so a XSS attack is quite pointless.

2017-01-27, 15:47	#11
Mark Rose "/X\(‘-‘)/X\" Jan 2013 2·1,553 Posts	Browsers are already starting showing warnings when sites are loaded over HTTP. The overhead of HTTPS was a big deal fifteen years ago but is minimal today. XSS is an issue: click this (though HTTPS won't fix this particular one).