Discussion:
OpenBSD Foundation on HTTPS
(too old to reply)
Hess THR
2017-12-15 10:50:58 UTC
Permalink
Raw Message
Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
supports HTTPS, while in 2017 Dec, ~70% of the websites does:
https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
BTW, wow:
https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
Hess THR
2018-02-06 10:03:32 UTC
Permalink
Raw Message
Hello,

because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS

going to apache/iis/nginx/linux will not increase "security". since they have very buggy code.

but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base?
Sent: Friday, December 15, 2017 at 12:11 PM
Subject: Re: OpenBSD Foundation on HTTPS
1) Why do you want https support?
2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift to IIS as well? Wait, I guess more people use Linux, so we should stop using OpenBSD all together.
-----Original Message-----
Date: Friday, 15 December 2017 at 4:20 PM
Subject: OpenBSD Foundation on HTTPS
Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
Hess THR
2018-02-06 11:32:54 UTC
Permalink
Raw Message
troll on

hey, yeah, you are absolutely right!

no one would ever modify (since plain http) the example.:

http://www.openbsdfoundation.org/donations.html

page, where are the PayPal donation links, bitcoin donation links are, without anybody noticing!

Why would someone do something like this? we live in a perfect world without bad people! yay pink ponies!

troll off
Sent: Tuesday, February 06, 2018 at 12:23 PM
Subject: Re: OpenBSD Foundation on HTTPS
Hi,
There is no need. There is nothing secret on those web servers, there
is no logical reason to encrypt it. This issue has been discussed to
death. Please check archives.
Ian
Post by Hess THR
Hello,
because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS
going to apache/iis/nginx/linux will not increase "security". since they have very buggy code.
but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base?
Sent: Friday, December 15, 2017 at 12:11 PM
Subject: Re: OpenBSD Foundation on HTTPS
1) Why do you want https support?
2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift to IIS as well? Wait, I guess more people use Linux, so we should stop using OpenBSD all together.
-----Original Message-----
Date: Friday, 15 December 2017 at 4:20 PM
Subject: OpenBSD Foundation on HTTPS
Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
Charlie Eddy
2018-02-06 18:03:09 UTC
Permalink
Raw Message
agreed - using HTTP instead of HTTPS is a great way to encourage that
activity, and since I love having my head in the sand like an ostrich I
encourage us to not encrypt the donation links to the most secure operating
system available to the public. That way we can't donate securely to the
foundation we support - the sand is great from down here
Post by Hess THR
troll on
hey, yeah, you are absolutely right!
http://www.openbsdfoundation.org/donations.html
page, where are the PayPal donation links, bitcoin donation links are,
without anybody noticing!
Why would someone do something like this? we live in a perfect world
without bad people! yay pink ponies!
troll off
Sent: Tuesday, February 06, 2018 at 12:23 PM
Subject: Re: OpenBSD Foundation on HTTPS
Hi,
There is no need. There is nothing secret on those web servers, there
is no logical reason to encrypt it. This issue has been discussed to
death. Please check archives.
Ian
Post by Hess THR
Hello,
https://en.wikipedia.org/wiki/HTTPS
Post by Hess THR
going to apache/iis/nginx/linux will not increase "security". since
they have very buggy code.
Post by Hess THR
but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
the code in the base?
Post by Hess THR
Sent: Friday, December 15, 2017 at 12:11 PM
Subject: Re: OpenBSD Foundation on HTTPS
1) Why do you want https support?
2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
we shift to IIS as well? Wait, I guess more people use Linux, so we should
stop using OpenBSD all together.
Post by Hess THR
-----Original Message-----
Date: Friday, 15 December 2017 at 4:20 PM
Subject: OpenBSD Foundation on HTTPS
Hello, Just noticed that the: http://www.openbsdfoundation.org/
doesn't
Post by Hess THR
https://letsencrypt.org/stats/#percent-pageloads Can we have
HTTPS for
Post by Hess THR
the OpenBSD Foundation? Which Official OpenBSD related domain
hasn't got
Post by Hess THR
HTTPS yet? I whish you happy holidays and again, Thanks for all
the work!
Post by Hess THR
https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
Daniel Ouellet
2018-02-06 18:46:21 UTC
Permalink
Raw Message
Come on guys.

If you actually donate and click on any links there you would see it
bring you to a secure page.

No need to have this one https type really there isn't any information
you enter on it...

I guess the sand is way more think some places then others....

Must be nice beaches there and pretty bikini too I hope!
Post by Charlie Eddy
agreed - using HTTP instead of HTTPS is a great way to encourage that
activity, and since I love having my head in the sand like an ostrich I
encourage us to not encrypt the donation links to the most secure operating
system available to the public. That way we can't donate securely to the
foundation we support - the sand is great from down here
Post by Hess THR
troll on
hey, yeah, you are absolutely right!
http://www.openbsdfoundation.org/donations.html
page, where are the PayPal donation links, bitcoin donation links are,
without anybody noticing!
Why would someone do something like this? we live in a perfect world
without bad people! yay pink ponies!
troll off
Sent: Tuesday, February 06, 2018 at 12:23 PM
Subject: Re: OpenBSD Foundation on HTTPS
Hi,
There is no need. There is nothing secret on those web servers, there
is no logical reason to encrypt it. This issue has been discussed to
death. Please check archives.
Ian
Post by Hess THR
Hello,
https://en.wikipedia.org/wiki/HTTPS
Post by Hess THR
going to apache/iis/nginx/linux will not increase "security". since
they have very buggy code.
Post by Hess THR
but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
the code in the base?
Post by Hess THR
Sent: Friday, December 15, 2017 at 12:11 PM
Subject: Re: OpenBSD Foundation on HTTPS
1) Why do you want https support?
2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
we shift to IIS as well? Wait, I guess more people use Linux, so we should
stop using OpenBSD all together.
Post by Hess THR
-----Original Message-----
Date: Friday, 15 December 2017 at 4:20 PM
Subject: OpenBSD Foundation on HTTPS
Hello, Just noticed that the: http://www.openbsdfoundation.org/
doesn't
Post by Hess THR
https://letsencrypt.org/stats/#percent-pageloads Can we have
HTTPS for
Post by Hess THR
the OpenBSD Foundation? Which Official OpenBSD related domain
hasn't got
Post by Hess THR
HTTPS yet? I whish you happy holidays and again, Thanks for all
the work!
Post by Hess THR
https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
Denis Fondras
2018-02-06 21:10:45 UTC
Permalink
Raw Message
Post by Daniel Ouellet
If you actually donate and click on any links there you would see it
bring you to a secure page.
But is this the right link ? Can I update the value of "hosted_button_id" and
send you to my Paypal account ?

Denis
Charlie Eddy
2018-02-06 23:43:57 UTC
Permalink
Raw Message
"Can I update the value of "hosted_button_id" and
send you to my Paypal account ?"

this

is much cleaner, more logical, more formal, and more sensible than

"No need to have this one https type really there isn't any information
you enter on it..."
Post by Denis Fondras
Post by Daniel Ouellet
If you actually donate and click on any links there you would see it
bring you to a secure page.
But is this the right link ? Can I update the value of "hosted_button_id" and
send you to my Paypal account ?
Denis
Jeroen
2018-02-07 14:40:13 UTC
Permalink
Raw Message
As far as I am concerned, HTTPS by itself doesn't do miracles. It
involved more tech. Unless you can hack the global web infra, it's only
possible to change this on a local network. Wouldn't there be more
interesting targets in such situations?

Don't get me wrong, I am not trying to downplay the lack of HTTPS. But
I do understand why this has no priority whatsoever. Proper HTTPS is
more than work than running ACME to get a certificate issued. DANE,
CAA, etc.
Post by Charlie Eddy
"Can I update the value of "hosted_button_id" and
send you to my Paypal account ?"
this
is much cleaner, more logical, more formal, and more sensible than
"No need to have this one https type really there isn't any
information
you enter on it..."
Post by Denis Fondras
Post by Daniel Ouellet
If you actually donate and click on any links there you would see it
bring you to a secure page.
But is this the right link ? Can I update the value of
"hosted_button_id"
and
send you to my Paypal account ?
Denis
Stuart Henderson
2018-02-06 23:48:26 UTC
Permalink
Raw Message
Post by Daniel Ouellet
Come on guys.
If you actually donate and click on any links there you would see it
bring you to a secure page.
No need to have this one https type really there isn't any information
you enter on it...
I guess the sand is way more think some places then others....
Must be nice beaches there and pretty bikini too I hope!
Just because some payment processors somehow manage to get that
iframe-served-by-insecure-site crap through pci-dss doesn't mean
it's safe. Pages redirecting/linking/posting to or <iframe>-embedding
payment pages have just as high a security requirement as the
payment pages themselves. You don't want them to be intercepted
and modified.
Post by Daniel Ouellet
Post by Charlie Eddy
agreed - using HTTP instead of HTTPS is a great way to encourage that
activity, and since I love having my head in the sand like an ostrich I
encourage us to not encrypt the donation links to the most secure operating
system available to the public. That way we can't donate securely to the
foundation we support - the sand is great from down here
If you don't trust the forms, you can use obsd-***@openbsdfoundation.org
directly.
Charlie Eddy
2018-02-07 00:14:03 UTC
Permalink
Raw Message
thank you for providing that email address, case closed as far as I'm
concerned
Tom Atkinson
2018-02-06 23:25:01 UTC
Permalink
Raw Message
Whilst that might seem like a fair argument, what would happen if I man
in the middled your request for the http page? I could easily change the
links to point to my malicious site, and with certificates being so easy
to get, it would be relatively easy to make it look authentic as far as
the "you end up on a secure page" argument goes and, given the quality of
some spearphishing, the appearance of the page as well. Of course, none
of that would be possible if all of the pages were TLS encrypted.
Tom
Jonathan Thornburg
2018-02-07 13:40:52 UTC
Permalink
Raw Message
The OpenBSD Foundation
8101 160 Street
Edmonton, Alberta, Canada
T5R 2G9
Without https, how can one verify that that is the correct address?
Jeroen
2018-02-07 14:42:14 UTC
Permalink
Raw Message
With HTTPS, can you be sure that the server isn't comprimised? With or
without HTTPS, it's always a good idea to check wether the address is
correct (a foundation has to be registered and at other places).
Post by Jonathan Thornburg
The OpenBSD Foundation
8101 160 Street
Edmonton, Alberta, Canada
T5R 2G9
Without https, how can one verify that that is the correct address?
Charlie Eddy
2018-02-07 23:37:28 UTC
Permalink
Raw Message
Hello Jonathan Thornburg,

That is quite simple. The post will work.

https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612

Regards,
Post by Jeroen
With HTTPS, can you be sure that the server isn't comprimised? With or
without HTTPS, it's always a good idea to check wether the address is
correct (a foundation has to be registered and at other places).
Post by Jonathan Thornburg
The OpenBSD Foundation
8101 160 Street
Edmonton, Alberta, Canada
T5R 2G9
Without https, how can one verify that that is the correct address?
Hess THR
2018-02-09 11:35:25 UTC
Permalink
Raw Message
Hello,

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

"Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”."

so:
http://www.openbsdfoundation.org/
http://firmware.openbsd.org/firmware/
any mirror that still uses just http, not https, pkg_* should only allow https communication
any other?

also, default redirect to HTTPS should be advisable

HTTPS would provide integrity, privacy, authenticity.

Have a great weekend!

ps.: OpenBSD team is great! I am just advising that it would be better to use HTTPS.
Sent: Thursday, February 08, 2018 at 12:37 AM
Subject: Re: OpenBSD Foundation on HTTPS
Hello Jonathan Thornburg,
That is quite simple. The post will work.
https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612
Regards,
Post by Jeroen
With HTTPS, can you be sure that the server isn't comprimised? With or
without HTTPS, it's always a good idea to check wether the address is
correct (a foundation has to be registered and at other places).
Post by Jonathan Thornburg
The OpenBSD Foundation
8101 160 Street
Edmonton, Alberta, Canada
T5R 2G9
Without https, how can one verify that that is the correct address?
Kevin Chadwick
2018-02-09 11:51:59 UTC
Permalink
Raw Message
On Fri, 9 Feb 2018 12:35:25 +0100
Post by Hess THR
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
"Beginning in July 2018 with the release of Chrome 68, Chrome will
mark all HTTP sites as “not secure”."
^^^^^^^^^^

HTTP pages!

And they admit the choice of words is poor but they can't think of any
accurate ones that would have the desired affect.

They should probably get rid of the certificate lifetime limits first
else any laptop (likely an older generation) who's bios battery has died
will now be DOS from the internet with the other changes already
brought in.
Kevin Chadwick
2018-02-09 11:56:31 UTC
Permalink
Raw Message
On Fri, 9 Feb 2018 12:35:25 +0100
Post by Hess THR
also, default redirect to HTTPS should be advisable
The important thing is using secure cookies for logins. Otherwise SSL
is less secure. It is required if authenticity of page content is
beneficial of course. The performance claims are also fine and dandy if
you have Googles money for newer processors or use cloud services, I
guess? Anyone know if there are any cost implications of cloud SSL,
cycle counts etc. or Intel AES-NI saves money in the cloud even?

Loading...