SSL for geekhack

[jalaj]

I'm a proponent to implement SSL for geekhack's webserver.
Especially since registered users have to authenticate to the site, SSL will help prevent the password from being visible in plain text from traffic sniffers on the same network, ISPs, or other guvment agencies.
I know there's a lot of private, sensitive NFO passed around on these forums and we need to safeguard it.
Fundraiser for SSL cert???
I'd chip in for the peace of mind.

[smknjoe]

I completely agree. Any site that requires a password should use SSL/TLS. Godaddy certs are only about $80 a year. Otherwise, assume that your username and password used on this site have been or will be compromised at some point in time.

Edit: that's why I use a password that is unique to this site only...same goes for any other site that requires a password without SSL.

[jalaj]

Also all PMs are currently insecure, the messages can be sniffed plain text.
Or someone can sniff the traffic, pull your account password, log into your account, and see all your PM history.
Bam private, sensitive info exposed.
I prefer digicert, but any SSL certificate authority is better than none at this point.

[smknjoe]

Not to get OT, but why pay more for the same thing? Godaddy = $70 for one single year     Digicert = $175 for one single year. As long as 99% of browsers recognize it why not go cheaper, or am I missing something else that's better about the Digicert? No sarcasm...

[mkawa]

yah, we should probably do this. there's basically no impedance. we've just been lax about it

[mashby]

I've gotten certificates from Comodo for less. However, it may of been a resellers discount. Definitely worth checking into.

[mkawa]

samwisekoi is almost certainly a reseller. I'll get this done, just keep bugging me about it

[smknjoe]

Comodo is $99 for 1 year. They (and Digicert) offer a multi-year discount though. Godaddy is the cheapest I know of and I've used them for about 14 years. They were $40 until a few years ago...

[riotonthebay]

https://getssl.me/

[smknjoe]

Nice!

[Techno Trousers]

StartSSL.com class 1 certificates are free. You can't beat that price.

You need to generate a new one each year, but it's a good idea to do that anyway.

[strict]

This is a great idea! I would gladly chip in, if needed, to help cover the cost of an SSL cert.

As a side note, I use DigiCert at work for our all certificates and have always been very happy with their service. They may not be the cheapest but having unlimited server licenses and unlimited duplicates for our wildcard is very convenient.

[mkawa]

the blocking function here is that i need to reset my access to the geekhack back-end to implement this. the cert won't be an issue.

[CPTBadAss]

Very serious question. Can someone explain SSL to me like I'm in kindergarten? I'd like to learn more about it. I'm assuming that it's a security feature that GH should have.

[bueller]

Very serious question. Can someone explain SSL to me like I'm in kindergarten? I'd like to learn more about it. I'm assuming that it's a security feature that GH should have.

Edit: see reply below, way better description.

[riotonthebay]

Very serious question. Can someone explain SSL to me like I'm in kindergarten? I'd like to learn more about it. I'm assuming that it's a security feature that GH should have.

Caveat: I don't claim to really understand this stuff, but here's what SSL/TLS (Secure Sockets Layer/Transport Security Layer) lets you do:

I want to accomplish two things: 1) verify that messages sent from geekhack.org are actually sent from geekhack.org (and not someone pretending to be), and 2) encrypt messages sent between the server and me. Number 2) means that if I submit my password and someone intercepts my message, all they see are "random" characters, not my actual password. Actually, they shouldn't even know that I submitted my password at all. SSL/TLS lets me accomplish both of these.

First, someone called a Certificate Authority issues an SSL certificate to geekhack.org. When I initiate a connection, geekhack.org sends me this special certificate, which I then send back to the Certificate Authority to "verify" that geekhack.org is who they say they are. Due to some crypto magic that I won't go into, it's not possible for someone else to fake this certificate. This gets me 1) above.

Since I now know that geekhack.org is who they say they are, we exchange a set of keys that we will use to encrypt further traffic. This uses something called Public Key Cryptography. The basic idea is that I generate a public key and a private key. I sent you my public key, which is kind of like a thing that takes some text and outputs some garbled text. The trick is that you can't get back the original text unless you have the private key. So you send me the encrypted message, and I use my private key to turn it back into the actual message you wanted me to receive. So I use the server's public key to encrypt messages I send it, and it uses my public key to encrypt messages it sends back. This gets me 2) above.

Corrections welcomed. If this didn't make sense, CPT, feel free to ping me on Skype.

[CPTBadAss]

Hooray! Basic understanding achieved . Thanks riotonthebro and bueller!

[Coreda]

Very serious question. Can someone explain SSL to me like I'm in kindergarten? I'd like to learn more about it. I'm assuming that it's a security feature that GH should have.

It's the https part of the URL on secure sites. Non secure (http) connections can be eavesdropped, so anyone looking at data from your connection can see all the info being exchanged between you and geekhack in the clear.

On the other hand, setting up SSL on the site would allow the user to connect securely to GH, essentially like a secret handshake. This allows the data to be encrypted and prevents others from snooping on the communication as it's being sent.

Edit: heh, beaten by riot 

[CPTBadAss]

Your explanation actually made something like Coreda. Now I understand why people/tech support have referred to something as handshakes when talking about browsers.

[mkawa]

ssl is just an encryption mechanism for http sessions

although now it's really called tsl, not ssl. the ssl standards are broken. same diff though

edit: sorry, it's an encryption and integrity. the basic idea behind integrity is that integrity proves that each message passed between users definitely came from the sending user.

[intelli78]

Is the use of SSL considered strictly superior over NOT using it for all situations?  Are there any downsides other than the cost of the certificate?

[mkawa]

the SSL standards are completely subsumed by the TLS standards because of the number of attacks which make breaking SSLv1-2 trivial. i'd rather not implement sslv1-2 and go plaintext than go with either one, because sslv1-2 are equivalent to having no secure exchange at all, but give the illusion of being secure.

[riotonthebay]

the SSL standards are completely subsumed by the TSL standards because of the number of attacks which make breaking SSLv1-2 trivial. i'd rather not implement sslv1-2 and go plaintext than go with either one, because sslv1-2 are equivalent to having no secure exchange at all, but give the illusion of being secure.

I don't think anyone here actually means SSL when they say SSL. Just assume everyone's talking about TLS.

[Techno Trousers]

HTTPS is probably the most correct generic terminology. I still need to break myself of using the term SSL as well.

[mkawa]

you aren't the only one. apache has called it mod_ssl since the beginning of time, and doesn't plan on changing the name.

[esko997]

Not sure whether the Geekhack site entity has money available to spend on this kind of thing, but if not I would also be willing to chip in something for SSL implementation.

[strict]

Any news on this?

[Melvang]

PM sent to mkawa regarding money for certs.

[swill]

Is the use of SSL considered strictly superior over NOT using it for all situations?  Are there any downsides other than the cost of the certificate?

There are no major downsides. The site might appear to be a bit slower because the server has to do a bit more work to encrypt the messages and terminate the SSL connection, but it won't be a big difference. Commonly people who are not logged in are served http pages and when you log in you are served HTTPS pages. This helps reduce the work of the server while still keeping all the user transactional data secure.

[atlas3686]

Could we not possibly make use of this for the moment?: http://arstechnica.com/information-technology/2014/09/cloudflare-gives-internet-a-present-free-no-hassle-universal-ssl/

[CPTBadAss]

Hi everyone, just wanted to let ya'll know that this is happening. We're getting some https action. But since I don't understand how all this works, I'll let samwisekoi, mkawa, jwaz, or someone much smarter than me chime in.

[nubbinator]

Hi everyone, just wanted to let ya'll know that this is happening. We're getting some https action. But since I don't understand how all this works, I'll let samwisekoi, mkawa, jwaz, or someone much smarter than me chime in.

You just add an s to the end of http and it's magic.

[FrostyToast]

Hi everyone, just wanted to let ya'll know that this is happening. We're getting some https action. But since I don't understand how all this works, I'll let samwisekoi, mkawa, jwaz, or someone much smarter than me chime in.

You just add an s to the end of http and it's magic.

Just like Scrabble.
Add S to win.

[CPTBadAss]

So what you're saying is that even though S is a ***** letter and only gives me one stupid point, it's important for SSL Scrabble? TIL.

[Zeal]

Hi everyone, just wanted to let ya'll know that this is happening. We're getting some https action. But since I don't understand how all this works, I'll let samwisekoi, mkawa, jwaz, or someone much smarter than me chime in.

You just add an s to the end of http and it's magic.

Just like Scrabble.
Add S to win.

https://geekhack.org/index.php?topic=59555.30

Am I doing it right?

[FrostyToast]

So what you're saying is that even though S is a ***** letter and only gives me one stupid point, it's important for SSL Scrabble? TIL.

If someone wants to be like
"CONNOTATION, BISH! 1 BAJILLION PTS!"

You be like
"CONNOTATION + S. 1 bajillion and 1 pts. Get rekt son.

[jwaz]

It will most likely be implemented in the next month but for sure before the end of the year. We've got the hookup on a cert, but thanks for the suggestions everyone. This is something we realize we should have done a long time ago and are working to resolve in a timely manner.

[tbc]

is this breaking image uploading or is that something else?

tons of 500s

[Puddsy]

is this breaking image uploading or is that something else?

tons of 500s

nothing technical has been done yet AKAIK

and if we had done anything it shouldn't break images

[jwaz]

is this breaking image uploading or is that something else?

tons of 500s

That's a separate issue entirely, we're working on it and appreciate your patience.

[pr0ximity]

Thanks for pushing this forward. Definitely a worthwhile feature 

[Findecanor]

I think that each HTTP request should be automatically be redirected to the corresponding HTTPS request.
That way, you would not loose TLS protection if you follow a link to a thread or to the Wiki.

Maybe that could be an optional feature for logged-in users only.

[jwaz]

I think that each HTTP request should be automatically be redirected to the corresponding HTTPS request.
That way, you would not loose TLS protection if you follow a link to a thread or to the Wiki.

Maybe that could be an optional feature for logged-in users only.

This is definitely something we'll be planning on doing.