[freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Wed, Mar 14, 2012 at 06:19:07AM -0500, Ian Clarke wrote:
> On Fri, Mar 9, 2012 at 3:37 PM, Evan Daniel  wrote:
> 
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> 
> 
> Actually it might.  While we normally hover around 2,500 visits per day,
> which the server should be able to handle quite easily, we do occasionally
> get linked from high-traffic websites which puts a lot more strain on the
> server.
> 
> It's important that the server doesn't go down on these occasions as they
> are an important way to acquire new users, donors, and developers.
> 
> Ian.

That might have been a concern a decade ago, it's not anymore... back then
 we had a dynamic website, nowadays everything is static and (much) faster.

Talking about SSL: some of the SSL ciphers are quite fast... and even
accelerated in hardware!
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frprf_ssl.html
http://zombe.es/post/4078724716/openssl-cipher-selection

I've tweaked what we use on osprey already:
RC4-SHA as a first choice, AES-128-SHA the fallback... and the other ciphers
then.

When we will renew the SSL cert, I will ensure that we use a smaller keysize 
too;
4096 bits RSA is too big, even by my paranoid standards.

We can't do ECC just yet (the openssl version we use doesn't support it)...
and the VM we rent doesn't export AESNI's CPU flags.

Florent

[freenet-dev] Should we switch the websites to httpS only?

[Ian Clarke]

On Fri, Mar 9, 2012 at 3:37 PM, Evan Daniel  wrote:

> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?


Actually it might.  While we normally hover around 2,500 visits per day,
which the server should be able to handle quite easily, we do occasionally
get linked from high-traffic websites which puts a lot more strain on the
server.

It's important that the server doesn't go down on these occasions as they
are an important way to acquire new users, donors, and developers.

Ian.

-- 
Ian Clarke
Founder, The Freenet Project
Email: ian at freenetproject.org
-- next part --
An HTML attachment was scrubbed...
URL: 

Re: [freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Wed, Mar 14, 2012 at 06:19:07AM -0500, Ian Clarke wrote:
> On Fri, Mar 9, 2012 at 3:37 PM, Evan Daniel  wrote:
> 
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> 
> 
> Actually it might.  While we normally hover around 2,500 visits per day,
> which the server should be able to handle quite easily, we do occasionally
> get linked from high-traffic websites which puts a lot more strain on the
> server.
> 
> It's important that the server doesn't go down on these occasions as they
> are an important way to acquire new users, donors, and developers.
> 
> Ian.

That might have been a concern a decade ago, it's not anymore... back then
 we had a dynamic website, nowadays everything is static and (much) faster.

Talking about SSL: some of the SSL ciphers are quite fast... and even
accelerated in hardware!
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frprf_ssl.html
http://zombe.es/post/4078724716/openssl-cipher-selection

I've tweaked what we use on osprey already:
RC4-SHA as a first choice, AES-128-SHA the fallback... and the other ciphers
then.

When we will renew the SSL cert, I will ensure that we use a smaller keysize 
too;
4096 bits RSA is too big, even by my paranoid standards.

We can't do ECC just yet (the openssl version we use doesn't support it)...
and the VM we rent doesn't export AESNI's CPU flags.

Florent
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Ian Clarke]

On Fri, Mar 9, 2012 at 3:37 PM, Evan Daniel  wrote:

> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?


Actually it might.  While we normally hover around 2,500 visits per day,
which the server should be able to handle quite easily, we do occasionally
get linked from high-traffic websites which puts a lot more strain on the
server.

It's important that the server doesn't go down on these occasions as they
are an important way to acquire new users, donors, and developers.

Ian.

-- 
Ian Clarke
Founder, The Freenet Project
Email: i...@freenetproject.org
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Nicolas Hernandez]

Yes .. these coutries are in this case.

They cut https we don't really know if it it a full https blackout or not.


- Nicolas Hernandez
a-n - aleph-networks
*associ?*
http://www.aleph-networks.com




On Sat, Mar 10, 2012 at 7:00 PM, Ximin Luo  wrote:

> Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
> blocking HTTPS as well. I don't know if these reports are true however; it
> seems a little suicidal since it also means various services such as online
> banking aren't secure.
>
> I'm of the mind that if HTTPS doesn't work then we shouldn't serve
> anything.
> Certain services do force HTTPS, and online stores / banks would be
> laughed at
> if they started offering "non-secure" transactions.
>
> "Certificate error" is the same as not working, yes. People who say "just
> click
> through the warning" deserve to get their bank details stolen. Do it in
> private
> if you want to take a risk, but don't advise others to do the same thing!
>
> X
>
> On 10/03/12 17:47, Florent Daigniere wrote:
> > On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
> >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> 
>  I'm all for HTTPS, but do we really want to outright *remove*
> functionality from the site? Sure, HTTP isn't secure and all "modern" web
> browsers support it. However, we would be making it harder for people to
> learn about Freenet and potentially try it out.
> 
> >>>
> >>> Why? You could still access it over HTTP... and be presented with
> (transparent) redirect to the secure version.
> >>
> >> I just scratched an itch and discovered that even Lynx supports HTTPS?
> If it really is the case that HTTPS has become so ubiquitous that users
> wouldn't be affected, then sure, go ahead with it.
> >>
> >> HOWEVER: the question really needs to be restated. Are there any
> countries or ISPs that are known to disallow secure communications?
> >>
> >
> > I can name plenty of countries filtering HTTP (starting by the UK, where
> I live); I'm not sure I can name a single one filtering HTTPS.
> > Fundamentally, we can't prevent filtering... but we can prevent
> tampering of what we publish using cryptography.
> >
> >
>  In the end I think we should do what every major website does today:
> encrypt the important data and let the entire site be accessible securely,
> but don't force it onto people.
> 
>  -Daxter
> >>>
> >>> It's very difficult to do and most websites do it wrong. You have to
> think about mixed-content errors, cookie flags, ...
> >>>
> >>> Sending credentials in cleartext like we do on the wikis, with no
> secure alternative, is a disgrace.
> >>>
> >>> Florent
> >>
> >>
> >> Can you give me an example of a website that in your mind does either
> the mixed model or the secure-only model properly? It would be nice to
> compare with them.
> >>
> >
> > https://www.torproject.org/ does it properly (HTTPS everywhere)
> > https://bugs.freenetproject.org/ does it properly
> > https://www.trustmatta.com/ does it properly
> >
> >
> > https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do
> it properly (mixed content on the https version)
> > http://www.laposte.net/ (major webmail provider in France) doesn't do
> it properly (form hosted over http)
> > My bank's website doesn't do it properly (they don't set the 'secure'
> flag on their session cookie)
> > ...
> >
> > I'm not short of examples; these are the open tabs in my browser right
> now.
> >
> >> Actually, the wiki supports HTTPS right now. You'll get a certificate
> error, but it works.
> >>
> >
> > Hmmff? If you get a certificate error it doesn't work.
> >
> >> While we're on the subject (as I've never bothered with HTTPS on the
> site until now), turns out it's rather misconfigured. Both the wiki and the
> main site return a certificate for emu.freenetproject.org? That address
> isn't accessible--what was it, and shouldn't we get this fixed?
> >>
> >
> > This certificat has X509v3 Subject Alternative Names. It should is valid
> for the following fqdns:
> > emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org,
> bugs.freenetproject.org, downloads.freenetproject.org
> >
> > Florent
> > ___
> > Devl mailing list
> > Devl at freenetproject.org
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
>
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
>
>
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
-- next part --
An HTML attachment was scrubbed...
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Ximin Luo]

Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
blocking HTTPS as well. I don't know if these reports are true however; it
seems a little suicidal since it also means various services such as online
banking aren't secure.

I'm of the mind that if HTTPS doesn't work then we shouldn't serve anything.
Certain services do force HTTPS, and online stores / banks would be laughed at
if they started offering "non-secure" transactions.

"Certificate error" is the same as not working, yes. People who say "just click
through the warning" deserve to get their bank details stolen. Do it in private
if you want to take a risk, but don't advise others to do the same thing!

X

On 10/03/12 17:47, Florent Daigniere wrote:
> On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
>> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
>>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:

 I'm all for HTTPS, but do we really want to outright *remove* 
 functionality from the site? Sure, HTTP isn't secure and all "modern" web 
 browsers support it. However, we would be making it harder for people to 
 learn about Freenet and potentially try it out. 

>>>
>>> Why? You could still access it over HTTP... and be presented with 
>>> (transparent) redirect to the secure version.
>>
>> I just scratched an itch and discovered that even Lynx supports HTTPS? If it 
>> really is the case that HTTPS has become so ubiquitous that users wouldn't 
>> be affected, then sure, go ahead with it.
>>
>> HOWEVER: the question really needs to be restated. Are there any countries 
>> or ISPs that are known to disallow secure communications?
>>
> 
> I can name plenty of countries filtering HTTP (starting by the UK, where I 
> live); I'm not sure I can name a single one filtering HTTPS.
> Fundamentally, we can't prevent filtering... but we can prevent tampering of 
> what we publish using cryptography.
> 
> 
 In the end I think we should do what every major website does today: 
 encrypt the important data and let the entire site be accessible securely, 
 but don't force it onto people.

 -Daxter
>>>
>>> It's very difficult to do and most websites do it wrong. You have to think 
>>> about mixed-content errors, cookie flags, ...
>>>
>>> Sending credentials in cleartext like we do on the wikis, with no secure 
>>> alternative, is a disgrace.
>>>
>>> Florent
>>
>>
>> Can you give me an example of a website that in your mind does either the 
>> mixed model or the secure-only model properly? It would be nice to compare 
>> with them.
>>
> 
> https://www.torproject.org/ does it properly (HTTPS everywhere)
> https://bugs.freenetproject.org/ does it properly
> https://www.trustmatta.com/ does it properly
> 
> 
> https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it 
> properly (mixed content on the https version)
> http://www.laposte.net/ (major webmail provider in France) doesn't do it 
> properly (form hosted over http)
> My bank's website doesn't do it properly (they don't set the 'secure' flag on 
> their session cookie)
> ...
> 
> I'm not short of examples; these are the open tabs in my browser right now.
> 
>> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
>> but it works.
>>
> 
> Hmmff? If you get a certificate error it doesn't work.
> 
>> While we're on the subject (as I've never bothered with HTTPS on the site 
>> until now), turns out it's rather misconfigured. Both the wiki and the main 
>> site return a certificate for emu.freenetproject.org? That address isn't 
>> accessible--what was it, and shouldn't we get this fixed?
>>
> 
> This certificat has X509v3 Subject Alternative Names. It should is valid for 
> the following fqdns:
> emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org, 
> bugs.freenetproject.org, downloads.freenetproject.org
> 
> Florent
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> > On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >> 
> >> I'm all for HTTPS, but do we really want to outright *remove* 
> >> functionality from the site? Sure, HTTP isn't secure and all "modern" web 
> >> browsers support it. However, we would be making it harder for people to 
> >> learn about Freenet and potentially try it out. 
> >> 
> > 
> > Why? You could still access it over HTTP... and be presented with 
> > (transparent) redirect to the secure version.
> 
> I just scratched an itch and discovered that even Lynx supports HTTPS? If it 
> really is the case that HTTPS has become so ubiquitous that users wouldn't be 
> affected, then sure, go ahead with it.
> 
> HOWEVER: the question really needs to be restated. Are there any countries or 
> ISPs that are known to disallow secure communications?
> 

I can name plenty of countries filtering HTTP (starting by the UK, where I 
live); I'm not sure I can name a single one filtering HTTPS.
Fundamentally, we can't prevent filtering... but we can prevent tampering of 
what we publish using cryptography.


> >> In the end I think we should do what every major website does today: 
> >> encrypt the important data and let the entire site be accessible securely, 
> >> but don't force it onto people.
> >> 
> >> -Daxter
> > 
> > It's very difficult to do and most websites do it wrong. You have to think 
> > about mixed-content errors, cookie flags, ...
> > 
> > Sending credentials in cleartext like we do on the wikis, with no secure 
> > alternative, is a disgrace.
> > 
> > Florent
> 
> 
> Can you give me an example of a website that in your mind does either the 
> mixed model or the secure-only model properly? It would be nice to compare 
> with them.
> 

https://www.torproject.org/ does it properly (HTTPS everywhere)
https://bugs.freenetproject.org/ does it properly
https://www.trustmatta.com/ does it properly


https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it 
properly (mixed content on the https version)
http://www.laposte.net/ (major webmail provider in France) doesn't do it 
properly (form hosted over http)
My bank's website doesn't do it properly (they don't set the 'secure' flag on 
their session cookie)
...

I'm not short of examples; these are the open tabs in my browser right now.

> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
> but it works.
> 

Hmmff? If you get a certificate error it doesn't work.

> While we're on the subject (as I've never bothered with HTTPS on the site 
> until now), turns out it's rather misconfigured. Both the wiki and the main 
> site return a certificate for emu.freenetproject.org? That address isn't 
> accessible--what was it, and shouldn't we get this fixed?
> 

This certificat has X509v3 Subject Alternative Names. It should is valid for 
the following fqdns:
emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org, 
bugs.freenetproject.org, downloads.freenetproject.org

Florent

[freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Saturday 10 Mar 2012 17:15:04 Matthew Toseland wrote:
> On Saturday 10 Mar 2012 17:00:36 Daxter wrote:
> > On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote:
> > > On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
> > >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> > >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >  
> >  I'm all for HTTPS, but do we really want to outright *remove* 
> >  functionality from the site? Sure, HTTP isn't secure and all "modern" 
> >  web browsers support it. However, we would be making it harder for 
> >  people to learn about Freenet and potentially try it out. 
> >  
> > >>> 
> > >>> Why? You could still access it over HTTP... and be presented with 
> > >>> (transparent) redirect to the secure version.
> > >> 
> > >> I just scratched an itch and discovered that even Lynx supports HTTPS? 
> > >> If it really is the case that HTTPS has become so ubiquitous that users 
> > >> wouldn't be affected, then sure, go ahead with it.
> > >> 
> > >> HOWEVER: the question really needs to be restated. Are there any 
> > >> countries or ISPs that are known to disallow secure communications?
> > >> 
> >  In the end I think we should do what every major website does today: 
> >  encrypt the important data and let the entire site be accessible 
> >  securely, but don't force it onto people.
> >  
> >  -Daxter
> > >>> 
> > >>> It's very difficult to do and most websites do it wrong. You have to 
> > >>> think about mixed-content errors, cookie flags, ...
> > >>> 
> > >>> Sending credentials in cleartext like we do on the wikis, with no 
> > >>> secure alternative, is a disgrace.
> > >>> 
> > >>> Florent
> > >> 
> > >> 
> > >> Can you give me an example of a website that in your mind does either 
> > >> the mixed model or the secure-only model properly? It would be nice to 
> > >> compare with them.
> > >> 
> > >> Actually, the wiki supports HTTPS right now. You'll get a certificate 
> > >> error, but it works.
> > > 
> > > Why do you get a cert error? We have a wildcard cert!
> > >> 
> > >> While we're on the subject (as I've never bothered with HTTPS on the 
> > >> site until now), turns out it's rather misconfigured. Both the wiki and 
> > >> the main site return a certificate for emu.freenetproject.org? That 
> > >> address isn't accessible--what was it, and shouldn't we get this fixed?
> > > 
> > > Eh? I thought we used the wildcard cert for everything?
> > 
> > Nope, both are using a cert for emu.freenetproject.org. Also, the 
> > certificate is bound to expire on 4/27/2012 so we really should get this 
> > fixed!
> 
> Are you sure it isn't a wildcard cert? Wildcard is an extension. IIRC I don't 
> see a warning on HTTPS://freenetproject.org/.

No, it's not, it just has a lot of alternate names.
> 
> I agree we need to renew it though. :(
> 
Need to chase this up. I believe me and Ian have access, I will deal soon.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Saturday 10 Mar 2012 17:00:36 Daxter wrote:
> On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote:
> > On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
> >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
>  
>  I'm all for HTTPS, but do we really want to outright *remove* 
>  functionality from the site? Sure, HTTP isn't secure and all "modern" 
>  web browsers support it. However, we would be making it harder for 
>  people to learn about Freenet and potentially try it out. 
>  
> >>> 
> >>> Why? You could still access it over HTTP... and be presented with 
> >>> (transparent) redirect to the secure version.
> >> 
> >> I just scratched an itch and discovered that even Lynx supports HTTPS? If 
> >> it really is the case that HTTPS has become so ubiquitous that users 
> >> wouldn't be affected, then sure, go ahead with it.
> >> 
> >> HOWEVER: the question really needs to be restated. Are there any countries 
> >> or ISPs that are known to disallow secure communications?
> >> 
>  In the end I think we should do what every major website does today: 
>  encrypt the important data and let the entire site be accessible 
>  securely, but don't force it onto people.
>  
>  -Daxter
> >>> 
> >>> It's very difficult to do and most websites do it wrong. You have to 
> >>> think about mixed-content errors, cookie flags, ...
> >>> 
> >>> Sending credentials in cleartext like we do on the wikis, with no secure 
> >>> alternative, is a disgrace.
> >>> 
> >>> Florent
> >> 
> >> 
> >> Can you give me an example of a website that in your mind does either the 
> >> mixed model or the secure-only model properly? It would be nice to compare 
> >> with them.
> >> 
> >> Actually, the wiki supports HTTPS right now. You'll get a certificate 
> >> error, but it works.
> > 
> > Why do you get a cert error? We have a wildcard cert!
> >> 
> >> While we're on the subject (as I've never bothered with HTTPS on the site 
> >> until now), turns out it's rather misconfigured. Both the wiki and the 
> >> main site return a certificate for emu.freenetproject.org? That address 
> >> isn't accessible--what was it, and shouldn't we get this fixed?
> > 
> > Eh? I thought we used the wildcard cert for everything?
> 
> Nope, both are using a cert for emu.freenetproject.org. Also, the certificate 
> is bound to expire on 4/27/2012 so we really should get this fixed!

Are you sure it isn't a wildcard cert? Wildcard is an extension. IIRC I don't 
see a warning on HTTPS://freenetproject.org/.

I agree we need to renew it though. :(
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: 

Re: [freenet-dev] Should we switch the websites to httpS only?

[Nicolas Hernandez]

Yes .. these coutries are in this case.

They cut https we don't really know if it it a full https blackout or not.


- Nicolas Hernandez
a-n - aleph-networks
*associé*
http://www.aleph-networks.com




On Sat, Mar 10, 2012 at 7:00 PM, Ximin Luo  wrote:

> Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
> blocking HTTPS as well. I don't know if these reports are true however; it
> seems a little suicidal since it also means various services such as online
> banking aren't secure.
>
> I'm of the mind that if HTTPS doesn't work then we shouldn't serve
> anything.
> Certain services do force HTTPS, and online stores / banks would be
> laughed at
> if they started offering "non-secure" transactions.
>
> "Certificate error" is the same as not working, yes. People who say "just
> click
> through the warning" deserve to get their bank details stolen. Do it in
> private
> if you want to take a risk, but don't advise others to do the same thing!
>
> X
>
> On 10/03/12 17:47, Florent Daigniere wrote:
> > On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
> >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> 
>  I'm all for HTTPS, but do we really want to outright *remove*
> functionality from the site? Sure, HTTP isn't secure and all "modern" web
> browsers support it. However, we would be making it harder for people to
> learn about Freenet and potentially try it out.
> 
> >>>
> >>> Why? You could still access it over HTTP... and be presented with
> (transparent) redirect to the secure version.
> >>
> >> I just scratched an itch and discovered that even Lynx supports HTTPS…
> If it really is the case that HTTPS has become so ubiquitous that users
> wouldn't be affected, then sure, go ahead with it.
> >>
> >> HOWEVER: the question really needs to be restated. Are there any
> countries or ISPs that are known to disallow secure communications?
> >>
> >
> > I can name plenty of countries filtering HTTP (starting by the UK, where
> I live); I'm not sure I can name a single one filtering HTTPS.
> > Fundamentally, we can't prevent filtering... but we can prevent
> tampering of what we publish using cryptography.
> >
> >
>  In the end I think we should do what every major website does today:
> encrypt the important data and let the entire site be accessible securely,
> but don't force it onto people.
> 
>  -Daxter
> >>>
> >>> It's very difficult to do and most websites do it wrong. You have to
> think about mixed-content errors, cookie flags, ...
> >>>
> >>> Sending credentials in cleartext like we do on the wikis, with no
> secure alternative, is a disgrace.
> >>>
> >>> Florent
> >>
> >>
> >> Can you give me an example of a website that in your mind does either
> the mixed model or the secure-only model properly? It would be nice to
> compare with them.
> >>
> >
> > https://www.torproject.org/ does it properly (HTTPS everywhere)
> > https://bugs.freenetproject.org/ does it properly
> > https://www.trustmatta.com/ does it properly
> >
> >
> > https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do
> it properly (mixed content on the https version)
> > http://www.laposte.net/ (major webmail provider in France) doesn't do
> it properly (form hosted over http)
> > My bank's website doesn't do it properly (they don't set the 'secure'
> flag on their session cookie)
> > ...
> >
> > I'm not short of examples; these are the open tabs in my browser right
> now.
> >
> >> Actually, the wiki supports HTTPS right now. You'll get a certificate
> error, but it works.
> >>
> >
> > Hmmff? If you get a certificate error it doesn't work.
> >
> >> While we're on the subject (as I've never bothered with HTTPS on the
> site until now), turns out it's rather misconfigured. Both the wiki and the
> main site return a certificate for emu.freenetproject.org… That address
> isn't accessible--what was it, and shouldn't we get this fixed?
> >>
> >
> > This certificat has X509v3 Subject Alternative Names. It should is valid
> for the following fqdns:
> > emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org,
> bugs.freenetproject.org, downloads.freenetproject.org
> >
> > Florent
> > ___
> > Devl mailing list
> > Devl@freenetproject.org
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
>
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
>
>
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> > On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >> 
> >> I'm all for HTTPS, but do we really want to outright *remove* 
> >> functionality from the site? Sure, HTTP isn't secure and all "modern" web 
> >> browsers support it. However, we would be making it harder for people to 
> >> learn about Freenet and potentially try it out. 
> >> 
> > 
> > Why? You could still access it over HTTP... and be presented with 
> > (transparent) redirect to the secure version.
> 
> I just scratched an itch and discovered that even Lynx supports HTTPS? If it 
> really is the case that HTTPS has become so ubiquitous that users wouldn't be 
> affected, then sure, go ahead with it.
> 
> HOWEVER: the question really needs to be restated. Are there any countries or 
> ISPs that are known to disallow secure communications?
> 
> >> In the end I think we should do what every major website does today: 
> >> encrypt the important data and let the entire site be accessible securely, 
> >> but don't force it onto people.
> >> 
> >> -Daxter
> > 
> > It's very difficult to do and most websites do it wrong. You have to think 
> > about mixed-content errors, cookie flags, ...
> > 
> > Sending credentials in cleartext like we do on the wikis, with no secure 
> > alternative, is a disgrace.
> > 
> > Florent
> 
> 
> Can you give me an example of a website that in your mind does either the 
> mixed model or the secure-only model properly? It would be nice to compare 
> with them.
> 
> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
> but it works.

Why do you get a cert error? We have a wildcard cert!
> 
> While we're on the subject (as I've never bothered with HTTPS on the site 
> until now), turns out it's rather misconfigured. Both the wiki and the main 
> site return a certificate for emu.freenetproject.org? That address isn't 
> accessible--what was it, and shouldn't we get this fixed?

Eh? I thought we used the wildcard cert for everything?
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Steve Dougherty]

As far as Perspectives, there is also http://convergence.io/ by Moxie
Marlinspike.

On 03/10/2012 01:39 PM, Daxter wrote:
> On Mar 10, 2012, at 12:19 PM, Luke R. wrote:
>> I would tend to side with the ones who said we need both. HTTPS default, 
>> HTTP still available for those in need of it. The reason is because 
>> countries and most definitely some wifi hotspots in my experience block 
>> HTTPS entirely. Also some mobile browsers do not allow HTTPS (sadly!). 
>>
>> A user may be able to use an HTTP proxy in his/her country to get access to 
>> the blocked domain via HTTP (unless the http proxy also supports HTTPS? then 
>> this may not be needed). In such cases MD5 hash checks would be very 
>> important, as well as the non-anonymity in downloading the binary in the 
>> first place could place a person at risk... but at least they would be able 
>> to download it.
>>
>> Regarding the HTTPS certificate errors, continued development of this FF 
>> extension may prove helpful: http://www.cs.cmu.edu/~perspectives/
> 
> Just thought I'd mention that cs.cmu.edu/~perspectives redirects to 
> www.networknotary.org which appears to be down. A quick web search brought me 
> to www.perspectives-project.org which appears to be the new site. The project 
> looks very interesting, but IMO it won't make much of a difference 
> until/unless it's bundled with the browser.
> 
> I agree that in lieu of HTTPS, MD5/SHA hashes would be very useful. As well, 
> Any automated update tool should also download a hash and check it before 
> using the update (not sure if that happens now). 
> 
> 
> 
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Steve Dougherty]

As far as perspectives, there is also Moxie Marlinspike's
http://convergence.io/

On Sat, Mar 10, 2012 at 1:19 PM, Luke R.  wrote:

> I would tend to side with the ones who said we need both. HTTPS default,
> HTTP still available for those in need of it. The reason is because
> countries and most definitely some wifi hotspots in my experience block
> HTTPS entirely. Also some mobile browsers do not allow HTTPS (sadly!).
>
> A user may be able to use an HTTP proxy in his/her country to get access
> to the blocked domain via HTTP (unless the http proxy also supports HTTPS?
> then this may not be needed). In such cases MD5 hash checks would be very
> important, as well as the non-anonymity in downloading the binary in the
> first place could place a person at risk... but at least they would be able
> to download it.
>
> Regarding the HTTPS certificate errors, continued development of this FF
> extension may prove helpful: http://www.cs.cmu.edu/~perspectives/
>
> --- On *Sat, 3/10/12, Ximin Luo * wrote:
>
>
> From: Ximin Luo 
> Subject: Re: [freenet-dev] Should we switch the websites to httpS only?
> To: devl at freenetproject.org
> Date: Saturday, March 10, 2012, 1:00 PM
>
>
> Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
> blocking HTTPS as well. I don't know if these reports are true however; it
> seems a little suicidal since it also means various services such as online
> banking aren't secure.
>
> I'm of the mind that if HTTPS doesn't work then we shouldn't serve
> anything.
> Certain services do force HTTPS, and online stores / banks would be
> laughed at
> if they started offering "non-secure" transactions.
>
> "Certificate error" is the same as not working, yes. People who say "just
> click
> through the warning" deserve to get their bank details stolen. Do it in
> private
> if you want to take a risk, but don't advise others to do the same thing!
>
> X
>
> On 10/03/12 17:47, Florent Daigniere wrote:
> > On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
> >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >>>>
> >>>> I'm all for HTTPS, but do we really want to outright *remove*
> functionality from the site? Sure, HTTP isn't secure and all "modern" web
> browsers support it. However, we would be making it harder for people to
> learn about Freenet and potentially try it out.
> >>>>
> >>>
> >>> Why? You could still access it over HTTP... and be presented with
> (transparent) redirect to the secure version.
> >>
> >> I just scratched an itch and discovered that even Lynx supports HTTPS?
> If it really is the case that HTTPS has become so ubiquitous that users
> wouldn't be affected, then sure, go ahead with it.
> >>
> >> HOWEVER: the question really needs to be restated. Are there any
> countries or ISPs that are known to disallow secure communications?
> >>
> >
> > I can name plenty of countries filtering HTTP (starting by the UK, where
> I live); I'm not sure I can name a single one filtering HTTPS.
> > Fundamentally, we can't prevent filtering... but we can prevent
> tampering of what we publish using cryptography.
> >
> >
> >>>> In the end I think we should do what every major website does today:
> encrypt the important data and let the entire site be accessible securely,
> but don't force it onto people.
> >>>>
> >>>> -Daxter
> >>>
> >>> It's very difficult to do and most websites do it wrong. You have to
> think about mixed-content errors, cookie flags, ...
> >>>
> >>> Sending credentials in cleartext like we do on the wikis, with no
> secure alternative, is a disgrace.
> >>>
> >>> Florent
> >>
> >>
> >> Can you give me an example of a website that in your mind does either
> the mixed model or the secure-only model properly? It would be nice to
> compare with them.
> >>
> >
> > https://www.torproject.org/ does it properly (HTTPS everywhere)
> > https://bugs.freenetproject.org/ does it properly
> > https://www.trustmatta.com/ does it properly
> >
> >
> > https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do
> it properly (mixed content on the https version)
> > http://www.laposte.net/ (major webmail provider in France) doesn't do
> it properly (form hosted over http)
> > My bank's website doesn't do i

Re: [freenet-dev] Should we switch the websites to httpS only?

[Steve Dougherty]

As far as Perspectives, there is also http://convergence.io/ by Moxie
Marlinspike.

On 03/10/2012 01:39 PM, Daxter wrote:
> On Mar 10, 2012, at 12:19 PM, Luke R. wrote:
>> I would tend to side with the ones who said we need both. HTTPS default, 
>> HTTP still available for those in need of it. The reason is because 
>> countries and most definitely some wifi hotspots in my experience block 
>> HTTPS entirely. Also some mobile browsers do not allow HTTPS (sadly!). 
>>
>> A user may be able to use an HTTP proxy in his/her country to get access to 
>> the blocked domain via HTTP (unless the http proxy also supports HTTPS? then 
>> this may not be needed). In such cases MD5 hash checks would be very 
>> important, as well as the non-anonymity in downloading the binary in the 
>> first place could place a person at risk... but at least they would be able 
>> to download it.
>>
>> Regarding the HTTPS certificate errors, continued development of this FF 
>> extension may prove helpful: http://www.cs.cmu.edu/~perspectives/
> 
> Just thought I'd mention that cs.cmu.edu/~perspectives redirects to 
> www.networknotary.org which appears to be down. A quick web search brought me 
> to www.perspectives-project.org which appears to be the new site. The project 
> looks very interesting, but IMO it won't make much of a difference 
> until/unless it's bundled with the browser.
> 
> I agree that in lieu of HTTPS, MD5/SHA hashes would be very useful. As well, 
> Any automated update tool should also download a hash and check it before 
> using the update (not sure if that happens now). 
> 
> 
> 
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl



signature.asc
Description: OpenPGP digital signature
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Steve Dougherty]

As far as perspectives, there is also Moxie Marlinspike's
http://convergence.io/

On Sat, Mar 10, 2012 at 1:19 PM, Luke R.  wrote:

> I would tend to side with the ones who said we need both. HTTPS default,
> HTTP still available for those in need of it. The reason is because
> countries and most definitely some wifi hotspots in my experience block
> HTTPS entirely. Also some mobile browsers do not allow HTTPS (sadly!).
>
> A user may be able to use an HTTP proxy in his/her country to get access
> to the blocked domain via HTTP (unless the http proxy also supports HTTPS?
> then this may not be needed). In such cases MD5 hash checks would be very
> important, as well as the non-anonymity in downloading the binary in the
> first place could place a person at risk... but at least they would be able
> to download it.
>
> Regarding the HTTPS certificate errors, continued development of this FF
> extension may prove helpful: http://www.cs.cmu.edu/~perspectives/
>
> --- On *Sat, 3/10/12, Ximin Luo * wrote:
>
>
> From: Ximin Luo 
> Subject: Re: [freenet-dev] Should we switch the websites to httpS only?
> To: devl@freenetproject.org
> Date: Saturday, March 10, 2012, 1:00 PM
>
>
> Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
> blocking HTTPS as well. I don't know if these reports are true however; it
> seems a little suicidal since it also means various services such as online
> banking aren't secure.
>
> I'm of the mind that if HTTPS doesn't work then we shouldn't serve
> anything.
> Certain services do force HTTPS, and online stores / banks would be
> laughed at
> if they started offering "non-secure" transactions.
>
> "Certificate error" is the same as not working, yes. People who say "just
> click
> through the warning" deserve to get their bank details stolen. Do it in
> private
> if you want to take a risk, but don't advise others to do the same thing!
>
> X
>
> On 10/03/12 17:47, Florent Daigniere wrote:
> > On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
> >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >>>>
> >>>> I'm all for HTTPS, but do we really want to outright *remove*
> functionality from the site? Sure, HTTP isn't secure and all "modern" web
> browsers support it. However, we would be making it harder for people to
> learn about Freenet and potentially try it out.
> >>>>
> >>>
> >>> Why? You could still access it over HTTP... and be presented with
> (transparent) redirect to the secure version.
> >>
> >> I just scratched an itch and discovered that even Lynx supports HTTPS…
> If it really is the case that HTTPS has become so ubiquitous that users
> wouldn't be affected, then sure, go ahead with it.
> >>
> >> HOWEVER: the question really needs to be restated. Are there any
> countries or ISPs that are known to disallow secure communications?
> >>
> >
> > I can name plenty of countries filtering HTTP (starting by the UK, where
> I live); I'm not sure I can name a single one filtering HTTPS.
> > Fundamentally, we can't prevent filtering... but we can prevent
> tampering of what we publish using cryptography.
> >
> >
> >>>> In the end I think we should do what every major website does today:
> encrypt the important data and let the entire site be accessible securely,
> but don't force it onto people.
> >>>>
> >>>> -Daxter
> >>>
> >>> It's very difficult to do and most websites do it wrong. You have to
> think about mixed-content errors, cookie flags, ...
> >>>
> >>> Sending credentials in cleartext like we do on the wikis, with no
> secure alternative, is a disgrace.
> >>>
> >>> Florent
> >>
> >>
> >> Can you give me an example of a website that in your mind does either
> the mixed model or the secure-only model properly? It would be nice to
> compare with them.
> >>
> >
> > https://www.torproject.org/ does it properly (HTTPS everywhere)
> > https://bugs.freenetproject.org/ does it properly
> > https://www.trustmatta.com/ does it properly
> >
> >
> > https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do
> it properly (mixed content on the https version)
> > http://www.laposte.net/ (major webmail provider in France) doesn't do
> it properly (form hosted over http)
> > My bank's website doesn't do i

[freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 10, 2012, at 12:19 PM, Luke R. wrote:
> I would tend to side with the ones who said we need both. HTTPS default, HTTP 
> still available for those in need of it. The reason is because countries and 
> most definitely some wifi hotspots in my experience block HTTPS entirely. 
> Also some mobile browsers do not allow HTTPS (sadly!). 
> 
> A user may be able to use an HTTP proxy in his/her country to get access to 
> the blocked domain via HTTP (unless the http proxy also supports HTTPS? then 
> this may not be needed). In such cases MD5 hash checks would be very 
> important, as well as the non-anonymity in downloading the binary in the 
> first place could place a person at risk... but at least they would be able 
> to download it.
> 
> Regarding the HTTPS certificate errors, continued development of this FF 
> extension may prove helpful: http://www.cs.cmu.edu/~perspectives/

Just thought I'd mention that cs.cmu.edu/~perspectives redirects to 
www.networknotary.org which appears to be down. A quick web search brought me 
to www.perspectives-project.org which appears to be the new site. The project 
looks very interesting, but IMO it won't make much of a difference until/unless 
it's bundled with the browser.

I agree that in lieu of HTTPS, MD5/SHA hashes would be very useful. As well, 
Any automated update tool should also download a hash and check it before using 
the update (not sure if that happens now). 
-- next part --
An HTML attachment was scrubbed...
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote:
> On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
>> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
>>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
 
 I'm all for HTTPS, but do we really want to outright *remove* 
 functionality from the site? Sure, HTTP isn't secure and all "modern" web 
 browsers support it. However, we would be making it harder for people to 
 learn about Freenet and potentially try it out. 
 
>>> 
>>> Why? You could still access it over HTTP... and be presented with 
>>> (transparent) redirect to the secure version.
>> 
>> I just scratched an itch and discovered that even Lynx supports HTTPS? If it 
>> really is the case that HTTPS has become so ubiquitous that users wouldn't 
>> be affected, then sure, go ahead with it.
>> 
>> HOWEVER: the question really needs to be restated. Are there any countries 
>> or ISPs that are known to disallow secure communications?
>> 
 In the end I think we should do what every major website does today: 
 encrypt the important data and let the entire site be accessible securely, 
 but don't force it onto people.
 
 -Daxter
>>> 
>>> It's very difficult to do and most websites do it wrong. You have to think 
>>> about mixed-content errors, cookie flags, ...
>>> 
>>> Sending credentials in cleartext like we do on the wikis, with no secure 
>>> alternative, is a disgrace.
>>> 
>>> Florent
>> 
>> 
>> Can you give me an example of a website that in your mind does either the 
>> mixed model or the secure-only model properly? It would be nice to compare 
>> with them.
>> 
>> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
>> but it works.
> 
> Why do you get a cert error? We have a wildcard cert!
>> 
>> While we're on the subject (as I've never bothered with HTTPS on the site 
>> until now), turns out it's rather misconfigured. Both the wiki and the main 
>> site return a certificate for emu.freenetproject.org? That address isn't 
>> accessible--what was it, and shouldn't we get this fixed?
> 
> Eh? I thought we used the wildcard cert for everything?

Nope, both are using a cert for emu.freenetproject.org. Also, the certificate 
is bound to expire on 4/27/2012 so we really should get this fixed!

[freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
>> 
>> I'm all for HTTPS, but do we really want to outright *remove* functionality 
>> from the site? Sure, HTTP isn't secure and all "modern" web browsers support 
>> it. However, we would be making it harder for people to learn about Freenet 
>> and potentially try it out. 
>> 
> 
> Why? You could still access it over HTTP... and be presented with 
> (transparent) redirect to the secure version.

I just scratched an itch and discovered that even Lynx supports HTTPS? If it 
really is the case that HTTPS has become so ubiquitous that users wouldn't be 
affected, then sure, go ahead with it.

HOWEVER: the question really needs to be restated. Are there any countries or 
ISPs that are known to disallow secure communications?

>> In the end I think we should do what every major website does today: encrypt 
>> the important data and let the entire site be accessible securely, but don't 
>> force it onto people.
>> 
>> -Daxter
> 
> It's very difficult to do and most websites do it wrong. You have to think 
> about mixed-content errors, cookie flags, ...
> 
> Sending credentials in cleartext like we do on the wikis, with no secure 
> alternative, is a disgrace.
> 
> Florent


Can you give me an example of a website that in your mind does either the mixed 
model or the secure-only model properly? It would be nice to compare with them.

Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
but it works.

While we're on the subject (as I've never bothered with HTTPS on the site until 
now), turns out it's rather misconfigured. Both the wiki and the main site 
return a certificate for emu.freenetproject.org? That address isn't 
accessible--what was it, and shouldn't we get this fixed?

-Daxter

Re: [freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 10, 2012, at 12:19 PM, Luke R. wrote:
> I would tend to side with the ones who said we need both. HTTPS default, HTTP 
> still available for those in need of it. The reason is because countries and 
> most definitely some wifi hotspots in my experience block HTTPS entirely. 
> Also some mobile browsers do not allow HTTPS (sadly!). 
> 
> A user may be able to use an HTTP proxy in his/her country to get access to 
> the blocked domain via HTTP (unless the http proxy also supports HTTPS? then 
> this may not be needed). In such cases MD5 hash checks would be very 
> important, as well as the non-anonymity in downloading the binary in the 
> first place could place a person at risk... but at least they would be able 
> to download it.
> 
> Regarding the HTTPS certificate errors, continued development of this FF 
> extension may prove helpful: http://www.cs.cmu.edu/~perspectives/

Just thought I'd mention that cs.cmu.edu/~perspectives redirects to 
www.networknotary.org which appears to be down. A quick web search brought me 
to www.perspectives-project.org which appears to be the new site. The project 
looks very interesting, but IMO it won't make much of a difference until/unless 
it's bundled with the browser.

I agree that in lieu of HTTPS, MD5/SHA hashes would be very useful. As well, 
Any automated update tool should also download a hash and check it before using 
the update (not sure if that happens now). ___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Luke R.]

I would tend to side with the ones who said we need both. HTTPS default, HTTP 
still available for those in need of it. The reason is because countries and 
most definitely some wifi hotspots in my experience block HTTPS entirely. Also 
some mobile browsers do not allow HTTPS (sadly!). 

A user may be able to use an HTTP proxy in his/her country to get access to the 
blocked domain via HTTP (unless the http proxy also supports HTTPS? then this 
may not be needed). In such cases MD5 hash checks would be very important, as 
well as the non-anonymity in downloading the binary in the first place could 
place a person at risk... but at least they would be able to download it.

Regarding the HTTPS certificate errors, continued development of this FF 
extension may prove helpful: http://www.cs.cmu.edu/~perspectives/

--- On Sat, 3/10/12, Ximin Luo  wrote:

From: Ximin Luo 
Subject: Re: [freenet-dev] Should we switch the websites to httpS only?
To: devl@freenetproject.org
Date: Saturday, March 10, 2012, 1:00 PM

Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
blocking HTTPS as well. I don't know if these reports are true however; it
seems a little suicidal since it also means various services such as online
banking aren't secure.

I'm of the mind that if HTTPS doesn't work then we shouldn't serve anything.
Certain services do force HTTPS, and online stores / banks would be laughed at
if they started offering "non-secure" transactions.

"Certificate error" is the same as not working, yes. People who say "just click
through the warning" deserve to get their bank details stolen. Do it in private
if you want to take a risk, but don't advise others to do the same thing!

X

On 10/03/12 17:47, Florent Daigniere wrote:
> On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
>> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
>>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
>>>>
>>>> I'm all for HTTPS, but do we really want to outright *remove* 
>>>> functionality from the site? Sure, HTTP isn't secure and all "modern" web 
>>>> browsers support it. However, we would be making it harder for people to 
>>>> learn about Freenet and potentially try it out. 
>>>>
>>>
>>> Why? You could still access it over HTTP... and be presented with 
>>> (transparent) redirect to the secure version.
>>
>> I just scratched an itch and discovered that even Lynx supports HTTPS… If it 
>> really is the case that HTTPS has become so ubiquitous that users wouldn't 
>> be affected, then sure, go ahead with it.
>>
>> HOWEVER: the question really needs to be restated. Are there any countries 
>> or ISPs that are known to disallow secure communications?
>>
> 
> I can name plenty of countries filtering HTTP (starting by the UK, where I 
> live); I'm not sure I can name a single one filtering HTTPS.
> Fundamentally, we can't prevent filtering... but we can prevent tampering of 
> what we publish using cryptography.
> 
> 
>>>> In the end I think we should do what every major website does today: 
>>>> encrypt the important data and let the entire site be accessible securely, 
>>>> but don't force it onto people.
>>>>
>>>> -Daxter
>>>
>>> It's very difficult to do and most websites do it wrong. You have to think 
>>> about mixed-content errors, cookie flags, ...
>>>
>>> Sending credentials in cleartext like we do on the wikis, with no secure 
>>> alternative, is a disgrace.
>>>
>>> Florent
>>
>>
>> Can you give me an example of a website that in your mind does either the 
>> mixed model or the secure-only model properly? It would be nice to compare 
>> with them.
>>
> 
> https://www.torproject.org/ does it properly (HTTPS everywhere)
> https://bugs.freenetproject.org/ does it properly
> https://www.trustmatta.com/ does it properly
> 
> 
> https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it 
> properly (mixed content on the https version)
> http://www.laposte.net/ (major webmail provider in France) doesn't do it 
> properly (form hosted over http)
> My bank's website doesn't do it properly (they don't set the 'secure' flag on 
> their session cookie)
> ...
> 
> I'm not short of examples; these are the open tabs in my browser right now.
> 
>> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
>> but it works.
>>
> 
> Hmmff? If you get a certifica

[freenet-dev] Should we switch the websites to httpS only?

[Luke R.]

I would tend to side with the ones who said we need both. HTTPS default, HTTP 
still available for those in need of it. The reason is because countries and 
most definitely some wifi hotspots in my experience block HTTPS entirely. Also 
some mobile browsers do not allow HTTPS (sadly!). 

A user may be able to use an HTTP proxy in his/her country to get access to the 
blocked domain via HTTP (unless the http proxy also supports HTTPS? then this 
may not be needed). In such cases MD5 hash checks would be very important, as 
well as the non-anonymity in downloading the binary in the first place could 
place a person at risk... but at least they would be able to download it.

Regarding the HTTPS certificate errors, continued development of this FF 
extension may prove helpful: http://www.cs.cmu.edu/~perspectives/

--- On Sat, 3/10/12, Ximin Luo  wrote:

From: Ximin Luo 
Subject: Re: [freenet-dev] Should we switch the websites to httpS only?
To: devl at freenetproject.org
Date: Saturday, March 10, 2012, 1:00 PM

Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
blocking HTTPS as well. I don't know if these reports are true however; it
seems a little suicidal since it also means various services such as online
banking aren't secure.

I'm of the mind that if HTTPS doesn't work then we shouldn't serve anything.
Certain services do force HTTPS, and online stores / banks would be laughed at
if they started offering "non-secure" transactions.

"Certificate error" is the same as not working, yes. People who say "just click
through the warning" deserve to get their bank details stolen. Do it in private
if you want to take a risk, but don't advise others to do the same thing!

X

On 10/03/12 17:47, Florent Daigniere wrote:
> On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
>> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
>>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
>>>>
>>>> I'm all for HTTPS, but do we really want to outright *remove* 
>>>> functionality from the site? Sure, HTTP isn't secure and all "modern" web 
>>>> browsers support it. However, we would be making it harder for people to 
>>>> learn about Freenet and potentially try it out. 
>>>>
>>>
>>> Why? You could still access it over HTTP... and be presented with 
>>> (transparent) redirect to the secure version.
>>
>> I just scratched an itch and discovered that even Lynx supports HTTPS? If it 
>> really is the case that HTTPS has become so ubiquitous that users wouldn't 
>> be affected, then sure, go ahead with it.
>>
>> HOWEVER: the question really needs to be restated. Are there any countries 
>> or ISPs that are known to disallow secure communications?
>>
> 
> I can name plenty of countries filtering HTTP (starting by the UK, where I 
> live); I'm not sure I can name a single one filtering HTTPS.
> Fundamentally, we can't prevent filtering... but we can prevent tampering of 
> what we publish using cryptography.
> 
> 
>>>> In the end I think we should do what every major website does today: 
>>>> encrypt the important data and let the entire site be accessible securely, 
>>>> but don't force it onto people.
>>>>
>>>> -Daxter
>>>
>>> It's very difficult to do and most websites do it wrong. You have to think 
>>> about mixed-content errors, cookie flags, ...
>>>
>>> Sending credentials in cleartext like we do on the wikis, with no secure 
>>> alternative, is a disgrace.
>>>
>>> Florent
>>
>>
>> Can you give me an example of a website that in your mind does either the 
>> mixed model or the secure-only model properly? It would be nice to compare 
>> with them.
>>
> 
> https://www.torproject.org/ does it properly (HTTPS everywhere)
> https://bugs.freenetproject.org/ does it properly
> https://www.trustmatta.com/ does it properly
> 
> 
> https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it 
> properly (mixed content on the https version)
> http://www.laposte.net/ (major webmail provider in France) doesn't do it 
> properly (form hosted over http)
> My bank's website doesn't do it properly (they don't set the 'secure' flag on 
> their session cookie)
> ...
> 
> I'm not short of examples; these are the open tabs in my browser right now.
> 
>> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
>> but it works.
>>
> 
> Hmmff? If you get a certifica

Re: [freenet-dev] Should we switch the websites to httpS only?

[Ximin Luo]

Someone mentioned that Syria blocks HTTPS. and there are reports of Iran
blocking HTTPS as well. I don't know if these reports are true however; it
seems a little suicidal since it also means various services such as online
banking aren't secure.

I'm of the mind that if HTTPS doesn't work then we shouldn't serve anything.
Certain services do force HTTPS, and online stores / banks would be laughed at
if they started offering "non-secure" transactions.

"Certificate error" is the same as not working, yes. People who say "just click
through the warning" deserve to get their bank details stolen. Do it in private
if you want to take a risk, but don't advise others to do the same thing!

X

On 10/03/12 17:47, Florent Daigniere wrote:
> On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
>> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
>>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:

 I'm all for HTTPS, but do we really want to outright *remove* 
 functionality from the site? Sure, HTTP isn't secure and all "modern" web 
 browsers support it. However, we would be making it harder for people to 
 learn about Freenet and potentially try it out. 

>>>
>>> Why? You could still access it over HTTP... and be presented with 
>>> (transparent) redirect to the secure version.
>>
>> I just scratched an itch and discovered that even Lynx supports HTTPS… If it 
>> really is the case that HTTPS has become so ubiquitous that users wouldn't 
>> be affected, then sure, go ahead with it.
>>
>> HOWEVER: the question really needs to be restated. Are there any countries 
>> or ISPs that are known to disallow secure communications?
>>
> 
> I can name plenty of countries filtering HTTP (starting by the UK, where I 
> live); I'm not sure I can name a single one filtering HTTPS.
> Fundamentally, we can't prevent filtering... but we can prevent tampering of 
> what we publish using cryptography.
> 
> 
 In the end I think we should do what every major website does today: 
 encrypt the important data and let the entire site be accessible securely, 
 but don't force it onto people.

 -Daxter
>>>
>>> It's very difficult to do and most websites do it wrong. You have to think 
>>> about mixed-content errors, cookie flags, ...
>>>
>>> Sending credentials in cleartext like we do on the wikis, with no secure 
>>> alternative, is a disgrace.
>>>
>>> Florent
>>
>>
>> Can you give me an example of a website that in your mind does either the 
>> mixed model or the secure-only model properly? It would be nice to compare 
>> with them.
>>
> 
> https://www.torproject.org/ does it properly (HTTPS everywhere)
> https://bugs.freenetproject.org/ does it properly
> https://www.trustmatta.com/ does it properly
> 
> 
> https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it 
> properly (mixed content on the https version)
> http://www.laposte.net/ (major webmail provider in France) doesn't do it 
> properly (form hosted over http)
> My bank's website doesn't do it properly (they don't set the 'secure' flag on 
> their session cookie)
> ...
> 
> I'm not short of examples; these are the open tabs in my browser right now.
> 
>> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
>> but it works.
>>
> 
> Hmmff? If you get a certificate error it doesn't work.
> 
>> While we're on the subject (as I've never bothered with HTTPS on the site 
>> until now), turns out it's rather misconfigured. Both the wiki and the main 
>> site return a certificate for emu.freenetproject.org… That address isn't 
>> accessible--what was it, and shouldn't we get this fixed?
>>
> 
> This certificat has X509v3 Subject Alternative Names. It should is valid for 
> the following fqdns:
> emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org, 
> bugs.freenetproject.org, downloads.freenetproject.org
> 
> Florent
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0



signature.asc
Description: OpenPGP digital signature
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Sat, Mar 10, 2012 at 10:44:55AM -0600, Daxter wrote:
> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> > On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >> 
> >> I'm all for HTTPS, but do we really want to outright *remove* 
> >> functionality from the site? Sure, HTTP isn't secure and all "modern" web 
> >> browsers support it. However, we would be making it harder for people to 
> >> learn about Freenet and potentially try it out. 
> >> 
> > 
> > Why? You could still access it over HTTP... and be presented with 
> > (transparent) redirect to the secure version.
> 
> I just scratched an itch and discovered that even Lynx supports HTTPS… If it 
> really is the case that HTTPS has become so ubiquitous that users wouldn't be 
> affected, then sure, go ahead with it.
> 
> HOWEVER: the question really needs to be restated. Are there any countries or 
> ISPs that are known to disallow secure communications?
> 

I can name plenty of countries filtering HTTP (starting by the UK, where I 
live); I'm not sure I can name a single one filtering HTTPS.
Fundamentally, we can't prevent filtering... but we can prevent tampering of 
what we publish using cryptography.


> >> In the end I think we should do what every major website does today: 
> >> encrypt the important data and let the entire site be accessible securely, 
> >> but don't force it onto people.
> >> 
> >> -Daxter
> > 
> > It's very difficult to do and most websites do it wrong. You have to think 
> > about mixed-content errors, cookie flags, ...
> > 
> > Sending credentials in cleartext like we do on the wikis, with no secure 
> > alternative, is a disgrace.
> > 
> > Florent
> 
> 
> Can you give me an example of a website that in your mind does either the 
> mixed model or the secure-only model properly? It would be nice to compare 
> with them.
> 

https://www.torproject.org/ does it properly (HTTPS everywhere)
https://bugs.freenetproject.org/ does it properly
https://www.trustmatta.com/ does it properly


https://umbraco.codeplex.com/SourceControl/list/changesets doesn't do it 
properly (mixed content on the https version)
http://www.laposte.net/ (major webmail provider in France) doesn't do it 
properly (form hosted over http)
My bank's website doesn't do it properly (they don't set the 'secure' flag on 
their session cookie)
...

I'm not short of examples; these are the open tabs in my browser right now.

> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
> but it works.
> 

Hmmff? If you get a certificate error it doesn't work.

> While we're on the subject (as I've never bothered with HTTPS on the site 
> until now), turns out it's rather misconfigured. Both the wiki and the main 
> site return a certificate for emu.freenetproject.org… That address isn't 
> accessible--what was it, and shouldn't we get this fixed?
> 

This certificat has X509v3 Subject Alternative Names. It should is valid for 
the following fqdns:
emu.freenetproject.org, freenetproject.org, osprey.freenetproject.org, 
bugs.freenetproject.org, downloads.freenetproject.org

Florent
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> On Mar 9, 2012, at 15:37, Evan Daniel  wrote:
> 
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> >  
> >> 
> >> I was wondering, do we have any good reason not to switch the various 
> >> websites to HTTPS only? (with a 301 redirect on HTTP)
> > 
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> > 
> > Evan Daniel
> 
> I'm all for HTTPS, but do we really want to outright *remove* functionality 
> from the site? Sure, HTTP isn't secure and all "modern" web browsers support 
> it. However, we would be making it harder for people to learn about Freenet 
> and potentially try it out. 
> 

Why? You could still access it over HTTP... and be presented with (transparent) 
redirect to the secure version.

> In the end I think we should do what every major website does today: encrypt 
> the important data and let the entire site be accessible securely, but don't 
> force it onto people.
> 
> -Daxter

It's very difficult to do and most websites do it wrong. You have to think 
about mixed-content errors, cookie flags, ...

Sending credentials in cleartext like we do on the wikis, with no secure 
alternative, is a disgrace.

Florent

Re: [freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Saturday 10 Mar 2012 17:15:04 Matthew Toseland wrote:
> On Saturday 10 Mar 2012 17:00:36 Daxter wrote:
> > On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote:
> > > On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
> > >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> > >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >  
> >  I'm all for HTTPS, but do we really want to outright *remove* 
> >  functionality from the site? Sure, HTTP isn't secure and all "modern" 
> >  web browsers support it. However, we would be making it harder for 
> >  people to learn about Freenet and potentially try it out. 
> >  
> > >>> 
> > >>> Why? You could still access it over HTTP... and be presented with 
> > >>> (transparent) redirect to the secure version.
> > >> 
> > >> I just scratched an itch and discovered that even Lynx supports HTTPS… 
> > >> If it really is the case that HTTPS has become so ubiquitous that users 
> > >> wouldn't be affected, then sure, go ahead with it.
> > >> 
> > >> HOWEVER: the question really needs to be restated. Are there any 
> > >> countries or ISPs that are known to disallow secure communications?
> > >> 
> >  In the end I think we should do what every major website does today: 
> >  encrypt the important data and let the entire site be accessible 
> >  securely, but don't force it onto people.
> >  
> >  -Daxter
> > >>> 
> > >>> It's very difficult to do and most websites do it wrong. You have to 
> > >>> think about mixed-content errors, cookie flags, ...
> > >>> 
> > >>> Sending credentials in cleartext like we do on the wikis, with no 
> > >>> secure alternative, is a disgrace.
> > >>> 
> > >>> Florent
> > >> 
> > >> 
> > >> Can you give me an example of a website that in your mind does either 
> > >> the mixed model or the secure-only model properly? It would be nice to 
> > >> compare with them.
> > >> 
> > >> Actually, the wiki supports HTTPS right now. You'll get a certificate 
> > >> error, but it works.
> > > 
> > > Why do you get a cert error? We have a wildcard cert!
> > >> 
> > >> While we're on the subject (as I've never bothered with HTTPS on the 
> > >> site until now), turns out it's rather misconfigured. Both the wiki and 
> > >> the main site return a certificate for emu.freenetproject.org… That 
> > >> address isn't accessible--what was it, and shouldn't we get this fixed?
> > > 
> > > Eh? I thought we used the wildcard cert for everything?
> > 
> > Nope, both are using a cert for emu.freenetproject.org. Also, the 
> > certificate is bound to expire on 4/27/2012 so we really should get this 
> > fixed!
> 
> Are you sure it isn't a wildcard cert? Wildcard is an extension. IIRC I don't 
> see a warning on HTTPS://freenetproject.org/.

No, it's not, it just has a lot of alternate names.
> 
> I agree we need to renew it though. :(
> 
Need to chase this up. I believe me and Ian have access, I will deal soon.


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Fri, Mar 09, 2012 at 11:11:48PM +, Matthew Toseland wrote:
> On Friday 09 Mar 2012 21:37:12 Evan Daniel wrote:
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> >  wrote:
> > > Hi,
> > >
> > > I've been doing some sysadmin tonight:
> > >- re-enabled ipv6 on all services
> > >- updated the DNS records (SPF, ...)
> > >- deployed a valid certificate on postfix
> > >
> > > Let me know if I broke something.
> > >
> > > I was wondering, do we have any good reason not to switch the various 
> > > websites to HTTPS only? (with a 301 redirect on HTTP)
> > 
> > Awesome, thanks!
> > 
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> 
> When we get slashdotted, our server load can be rather high. And this is a 
> fairly low end VM we're running it off.
> > 

I don't think that CPU will ever be a problem for the kind of traffic we handle.

There's plenty of (other) optimizations to be made...

Florent

Re: [freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Saturday 10 Mar 2012 17:00:36 Daxter wrote:
> On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote:
> > On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
> >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
>  
>  I'm all for HTTPS, but do we really want to outright *remove* 
>  functionality from the site? Sure, HTTP isn't secure and all "modern" 
>  web browsers support it. However, we would be making it harder for 
>  people to learn about Freenet and potentially try it out. 
>  
> >>> 
> >>> Why? You could still access it over HTTP... and be presented with 
> >>> (transparent) redirect to the secure version.
> >> 
> >> I just scratched an itch and discovered that even Lynx supports HTTPS… If 
> >> it really is the case that HTTPS has become so ubiquitous that users 
> >> wouldn't be affected, then sure, go ahead with it.
> >> 
> >> HOWEVER: the question really needs to be restated. Are there any countries 
> >> or ISPs that are known to disallow secure communications?
> >> 
>  In the end I think we should do what every major website does today: 
>  encrypt the important data and let the entire site be accessible 
>  securely, but don't force it onto people.
>  
>  -Daxter
> >>> 
> >>> It's very difficult to do and most websites do it wrong. You have to 
> >>> think about mixed-content errors, cookie flags, ...
> >>> 
> >>> Sending credentials in cleartext like we do on the wikis, with no secure 
> >>> alternative, is a disgrace.
> >>> 
> >>> Florent
> >> 
> >> 
> >> Can you give me an example of a website that in your mind does either the 
> >> mixed model or the secure-only model properly? It would be nice to compare 
> >> with them.
> >> 
> >> Actually, the wiki supports HTTPS right now. You'll get a certificate 
> >> error, but it works.
> > 
> > Why do you get a cert error? We have a wildcard cert!
> >> 
> >> While we're on the subject (as I've never bothered with HTTPS on the site 
> >> until now), turns out it's rather misconfigured. Both the wiki and the 
> >> main site return a certificate for emu.freenetproject.org… That address 
> >> isn't accessible--what was it, and shouldn't we get this fixed?
> > 
> > Eh? I thought we used the wildcard cert for everything?
> 
> Nope, both are using a cert for emu.freenetproject.org. Also, the certificate 
> is bound to expire on 4/27/2012 so we really should get this fixed!

Are you sure it isn't a wildcard cert? Wildcard is an extension. IIRC I don't 
see a warning on HTTPS://freenetproject.org/.

I agree we need to renew it though. :(


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote:
> On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
>> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
>>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
 
 I'm all for HTTPS, but do we really want to outright *remove* 
 functionality from the site? Sure, HTTP isn't secure and all "modern" web 
 browsers support it. However, we would be making it harder for people to 
 learn about Freenet and potentially try it out. 
 
>>> 
>>> Why? You could still access it over HTTP... and be presented with 
>>> (transparent) redirect to the secure version.
>> 
>> I just scratched an itch and discovered that even Lynx supports HTTPS… If it 
>> really is the case that HTTPS has become so ubiquitous that users wouldn't 
>> be affected, then sure, go ahead with it.
>> 
>> HOWEVER: the question really needs to be restated. Are there any countries 
>> or ISPs that are known to disallow secure communications?
>> 
 In the end I think we should do what every major website does today: 
 encrypt the important data and let the entire site be accessible securely, 
 but don't force it onto people.
 
 -Daxter
>>> 
>>> It's very difficult to do and most websites do it wrong. You have to think 
>>> about mixed-content errors, cookie flags, ...
>>> 
>>> Sending credentials in cleartext like we do on the wikis, with no secure 
>>> alternative, is a disgrace.
>>> 
>>> Florent
>> 
>> 
>> Can you give me an example of a website that in your mind does either the 
>> mixed model or the secure-only model properly? It would be nice to compare 
>> with them.
>> 
>> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
>> but it works.
> 
> Why do you get a cert error? We have a wildcard cert!
>> 
>> While we're on the subject (as I've never bothered with HTTPS on the site 
>> until now), turns out it's rather misconfigured. Both the wiki and the main 
>> site return a certificate for emu.freenetproject.org… That address isn't 
>> accessible--what was it, and shouldn't we get this fixed?
> 
> Eh? I thought we used the wildcard cert for everything?

Nope, both are using a cert for emu.freenetproject.org. Also, the certificate 
is bound to expire on 4/27/2012 so we really should get this fixed!

___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Saturday 10 Mar 2012 16:44:55 Daxter wrote:
> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> > On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> >> 
> >> I'm all for HTTPS, but do we really want to outright *remove* 
> >> functionality from the site? Sure, HTTP isn't secure and all "modern" web 
> >> browsers support it. However, we would be making it harder for people to 
> >> learn about Freenet and potentially try it out. 
> >> 
> > 
> > Why? You could still access it over HTTP... and be presented with 
> > (transparent) redirect to the secure version.
> 
> I just scratched an itch and discovered that even Lynx supports HTTPS… If it 
> really is the case that HTTPS has become so ubiquitous that users wouldn't be 
> affected, then sure, go ahead with it.
> 
> HOWEVER: the question really needs to be restated. Are there any countries or 
> ISPs that are known to disallow secure communications?
> 
> >> In the end I think we should do what every major website does today: 
> >> encrypt the important data and let the entire site be accessible securely, 
> >> but don't force it onto people.
> >> 
> >> -Daxter
> > 
> > It's very difficult to do and most websites do it wrong. You have to think 
> > about mixed-content errors, cookie flags, ...
> > 
> > Sending credentials in cleartext like we do on the wikis, with no secure 
> > alternative, is a disgrace.
> > 
> > Florent
> 
> 
> Can you give me an example of a website that in your mind does either the 
> mixed model or the secure-only model properly? It would be nice to compare 
> with them.
> 
> Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
> but it works.

Why do you get a cert error? We have a wildcard cert!
> 
> While we're on the subject (as I've never bothered with HTTPS on the site 
> until now), turns out it's rather misconfigured. Both the wiki and the main 
> site return a certificate for emu.freenetproject.org… That address isn't 
> accessible--what was it, and shouldn't we get this fixed?

Eh? I thought we used the wildcard cert for everything?


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote:
> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
>> 
>> I'm all for HTTPS, but do we really want to outright *remove* functionality 
>> from the site? Sure, HTTP isn't secure and all "modern" web browsers support 
>> it. However, we would be making it harder for people to learn about Freenet 
>> and potentially try it out. 
>> 
> 
> Why? You could still access it over HTTP... and be presented with 
> (transparent) redirect to the secure version.

I just scratched an itch and discovered that even Lynx supports HTTPS… If it 
really is the case that HTTPS has become so ubiquitous that users wouldn't be 
affected, then sure, go ahead with it.

HOWEVER: the question really needs to be restated. Are there any countries or 
ISPs that are known to disallow secure communications?

>> In the end I think we should do what every major website does today: encrypt 
>> the important data and let the entire site be accessible securely, but don't 
>> force it onto people.
>> 
>> -Daxter
> 
> It's very difficult to do and most websites do it wrong. You have to think 
> about mixed-content errors, cookie flags, ...
> 
> Sending credentials in cleartext like we do on the wikis, with no secure 
> alternative, is a disgrace.
> 
> Florent


Can you give me an example of a website that in your mind does either the mixed 
model or the secure-only model properly? It would be nice to compare with them.

Actually, the wiki supports HTTPS right now. You'll get a certificate error, 
but it works.

While we're on the subject (as I've never bothered with HTTPS on the site until 
now), turns out it's rather misconfigured. Both the wiki and the main site 
return a certificate for emu.freenetproject.org… That address isn't 
accessible--what was it, and shouldn't we get this fixed?

-Daxter
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote:
> On Mar 9, 2012, at 15:37, Evan Daniel  wrote:
> 
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> >  
> >> 
> >> I was wondering, do we have any good reason not to switch the various 
> >> websites to HTTPS only? (with a 301 redirect on HTTP)
> > 
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> > 
> > Evan Daniel
> 
> I'm all for HTTPS, but do we really want to outright *remove* functionality 
> from the site? Sure, HTTP isn't secure and all "modern" web browsers support 
> it. However, we would be making it harder for people to learn about Freenet 
> and potentially try it out. 
> 

Why? You could still access it over HTTP... and be presented with (transparent) 
redirect to the secure version.

> In the end I think we should do what every major website does today: encrypt 
> the important data and let the entire site be accessible securely, but don't 
> force it onto people.
> 
> -Daxter

It's very difficult to do and most websites do it wrong. You have to think 
about mixed-content errors, cookie flags, ...

Sending credentials in cleartext like we do on the wikis, with no secure 
alternative, is a disgrace.

Florent
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

On Fri, Mar 09, 2012 at 11:11:48PM +, Matthew Toseland wrote:
> On Friday 09 Mar 2012 21:37:12 Evan Daniel wrote:
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> >  wrote:
> > > Hi,
> > >
> > > I've been doing some sysadmin tonight:
> > >- re-enabled ipv6 on all services
> > >- updated the DNS records (SPF, ...)
> > >- deployed a valid certificate on postfix
> > >
> > > Let me know if I broke something.
> > >
> > > I was wondering, do we have any good reason not to switch the various 
> > > websites to HTTPS only? (with a 301 redirect on HTTP)
> > 
> > Awesome, thanks!
> > 
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> 
> When we get slashdotted, our server load can be rather high. And this is a 
> fairly low end VM we're running it off.
> > 

I don't think that CPU will ever be a problem for the kind of traffic we handle.

There's plenty of (other) optimizations to be made...

Florent
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Nicolas Hernandez]

Syria was
Le 9 mars 2012 23:55, "Ximin Luo"  a ?crit :

> Do you have some examples?
>
> On 09/03/12 22:25, Nicolas Hernandez wrote:
> > Https can be forbidden in some countries. It is important to have the
> > possibility to disable it.
> >
> > Le 9 mars 2012 22:45, "Ximin Luo"  > > a ?crit :
> >
> > +1
> >
> > On 09/03/12 21:37, Evan Daniel wrote:
> > > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> > > mailto:nextgens at 
> > freenetproject.org>>
> wrote:
> > >> Hi,
> > >>
> > >> I've been doing some sysadmin tonight:
> > >>- re-enabled ipv6 on all services
> > >>- updated the DNS records (SPF, ...)
> > >>- deployed a valid certificate on postfix
> > >>
> > >> Let me know if I broke something.
> > >>
> > >> I was wondering, do we have any good reason not to switch the
> various
> > websites to HTTPS only? (with a 301 redirect on HTTP)
> > >
> > > Awesome, thanks!
> > >
> > > I'm in favor of https only. The only real arguments against it are
> > > probably server cpu load. I assume that given our traffic levels,
> > > that's not likely to be an issue?
> > >
> > > Evan Daniel
> > > ___
> > > Devl mailing list
> > > Devl at freenetproject.org 
> > > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> >
> >
> > --
> > GPG: 4096R/5FBBDBCE
> > https://github.com/infinity0
> > https://bitbucket.org/infinity0
> > https://launchpad.net/~infinity0
> >
> >
> > ___
> > Devl mailing list
> > Devl at freenetproject.org 
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> >
> >
> >
> > ___
> > Devl mailing list
> > Devl at freenetproject.org
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
>
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
>
>
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
-- next part --
An HTML attachment was scrubbed...
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Arne Babenhauserheide]

Am Freitag, 9. M?rz 2012, 23:25:17 schrieb Nicolas Hernandez:
> Https can be forbidden in some countries. It is important to have the
> possibility to disable it.

It could also be broken in some users systems. I had a few weeks last year in 
which I could not access any https site (library broken, I guess it was a 
power-failure on update).

Best wishes,
Arne
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Nicolas Hernandez]

Https can be forbidden in some countries. It is important to have the
possibility to disable it.
Le 9 mars 2012 22:45, "Ximin Luo"  a ?crit :

> +1
>
> On 09/03/12 21:37, Evan Daniel wrote:
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> >  wrote:
> >> Hi,
> >>
> >> I've been doing some sysadmin tonight:
> >>- re-enabled ipv6 on all services
> >>- updated the DNS records (SPF, ...)
> >>- deployed a valid certificate on postfix
> >>
> >> Let me know if I broke something.
> >>
> >> I was wondering, do we have any good reason not to switch the various
> websites to HTTPS only? (with a 301 redirect on HTTP)
> >
> > Awesome, thanks!
> >
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> >
> > Evan Daniel
> > ___
> > Devl mailing list
> > Devl at freenetproject.org
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
>
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
>
>
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
-- next part --
An HTML attachment was scrubbed...
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Friday 09 Mar 2012 21:37:12 Evan Daniel wrote:
> On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
>  wrote:
> > Hi,
> >
> > I've been doing some sysadmin tonight:
> >- re-enabled ipv6 on all services
> >- updated the DNS records (SPF, ...)
> >- deployed a valid certificate on postfix
> >
> > Let me know if I broke something.
> >
> > I was wondering, do we have any good reason not to switch the various 
> > websites to HTTPS only? (with a 301 redirect on HTTP)
> 
> Awesome, thanks!
> 
> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?

When we get slashdotted, our server load can be rather high. And this is a 
fairly low end VM we're running it off.
> 
> Evan Daniel
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Ximin Luo]

Do you have some examples?

On 09/03/12 22:25, Nicolas Hernandez wrote:
> Https can be forbidden in some countries. It is important to have the
> possibility to disable it.
> 
> Le 9 mars 2012 22:45, "Ximin Luo"  > a ?crit :
> 
> +1
> 
> On 09/03/12 21:37, Evan Daniel wrote:
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> > mailto:nextgens at 
> freenetproject.org>> wrote:
> >> Hi,
> >>
> >> I've been doing some sysadmin tonight:
> >>- re-enabled ipv6 on all services
> >>- updated the DNS records (SPF, ...)
> >>- deployed a valid certificate on postfix
> >>
> >> Let me know if I broke something.
> >>
> >> I was wondering, do we have any good reason not to switch the various
> websites to HTTPS only? (with a 301 redirect on HTTP)
> >
> > Awesome, thanks!
> >
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> >
> > Evan Daniel
> > ___
> > Devl mailing list
> > Devl at freenetproject.org 
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> 
> 
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
> 
> 
> ___
> Devl mailing list
> Devl at freenetproject.org 
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> 
> 
> 
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Ximin Luo]

+1

On 09/03/12 21:37, Evan Daniel wrote:
> On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
>  wrote:
>> Hi,
>>
>> I've been doing some sysadmin tonight:
>>- re-enabled ipv6 on all services
>>- updated the DNS records (SPF, ...)
>>- deployed a valid certificate on postfix
>>
>> Let me know if I broke something.
>>
>> I was wondering, do we have any good reason not to switch the various 
>> websites to HTTPS only? (with a 301 redirect on HTTP)
> 
> Awesome, thanks!
> 
> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?
> 
> Evan Daniel
> ___
> Devl mailing list
> Devl at freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0

-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: 

[freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

Hi,

I've been doing some sysadmin tonight:
- re-enabled ipv6 on all services
- updated the DNS records (SPF, ...)
- deployed a valid certificate on postfix

Let me know if I broke something.

I was wondering, do we have any good reason not to switch the various websites 
to HTTPS only? (with a 301 redirect on HTTP)

Florent

[freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 9, 2012, at 15:37, Evan Daniel  wrote:

> On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
>  
>> 
>> I was wondering, do we have any good reason not to switch the various 
>> websites to HTTPS only? (with a 301 redirect on HTTP)
> 
> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?
> 
> Evan Daniel

I'm all for HTTPS, but do we really want to outright *remove* functionality 
from the site? Sure, HTTP isn't secure and all "modern" web browsers support 
it. However, we would be making it harder for people to learn about Freenet and 
potentially try it out. 

In the end I think we should do what every major website does today: encrypt 
the important data and let the entire site be accessible securely, but don't 
force it onto people.

-Daxter

Re: [freenet-dev] Should we switch the websites to httpS only?

[Daxter]

On Mar 9, 2012, at 15:37, Evan Daniel  wrote:

> On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
>  
>> 
>> I was wondering, do we have any good reason not to switch the various 
>> websites to HTTPS only? (with a 301 redirect on HTTP)
> 
> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?
> 
> Evan Daniel

I'm all for HTTPS, but do we really want to outright *remove* functionality 
from the site? Sure, HTTP isn't secure and all "modern" web browsers support 
it. However, we would be making it harder for people to learn about Freenet and 
potentially try it out. 

In the end I think we should do what every major website does today: encrypt 
the important data and let the entire site be accessible securely, but don't 
force it onto people.

-Daxter
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Evan Daniel]

On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
 wrote:
> Hi,
>
> I've been doing some sysadmin tonight:
> ? ? ? ?- re-enabled ipv6 on all services
> ? ? ? ?- updated the DNS records (SPF, ...)
> ? ? ? ?- deployed a valid certificate on postfix
>
> Let me know if I broke something.
>
> I was wondering, do we have any good reason not to switch the various 
> websites to HTTPS only? (with a 301 redirect on HTTP)

Awesome, thanks!

I'm in favor of https only. The only real arguments against it are
probably server cpu load. I assume that given our traffic levels,
that's not likely to be an issue?

Evan Daniel

Re: [freenet-dev] Should we switch the websites to httpS only?

[Nicolas Hernandez]

Syria was
Le 9 mars 2012 23:55, "Ximin Luo"  a écrit :

> Do you have some examples?
>
> On 09/03/12 22:25, Nicolas Hernandez wrote:
> > Https can be forbidden in some countries. It is important to have the
> > possibility to disable it.
> >
> > Le 9 mars 2012 22:45, "Ximin Luo"  > > a écrit :
> >
> > +1
> >
> > On 09/03/12 21:37, Evan Daniel wrote:
> > > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> > > mailto:nextg...@freenetproject.org>>
> wrote:
> > >> Hi,
> > >>
> > >> I've been doing some sysadmin tonight:
> > >>- re-enabled ipv6 on all services
> > >>- updated the DNS records (SPF, ...)
> > >>- deployed a valid certificate on postfix
> > >>
> > >> Let me know if I broke something.
> > >>
> > >> I was wondering, do we have any good reason not to switch the
> various
> > websites to HTTPS only? (with a 301 redirect on HTTP)
> > >
> > > Awesome, thanks!
> > >
> > > I'm in favor of https only. The only real arguments against it are
> > > probably server cpu load. I assume that given our traffic levels,
> > > that's not likely to be an issue?
> > >
> > > Evan Daniel
> > > ___
> > > Devl mailing list
> > > Devl@freenetproject.org 
> > > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> >
> >
> > --
> > GPG: 4096R/5FBBDBCE
> > https://github.com/infinity0
> > https://bitbucket.org/infinity0
> > https://launchpad.net/~infinity0
> >
> >
> > ___
> > Devl mailing list
> > Devl@freenetproject.org 
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> >
> >
> >
> > ___
> > Devl mailing list
> > Devl@freenetproject.org
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
>
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
>
>
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Matthew Toseland]

On Friday 09 Mar 2012 21:37:12 Evan Daniel wrote:
> On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
>  wrote:
> > Hi,
> >
> > I've been doing some sysadmin tonight:
> >- re-enabled ipv6 on all services
> >- updated the DNS records (SPF, ...)
> >- deployed a valid certificate on postfix
> >
> > Let me know if I broke something.
> >
> > I was wondering, do we have any good reason not to switch the various 
> > websites to HTTPS only? (with a 301 redirect on HTTP)
> 
> Awesome, thanks!
> 
> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?

When we get slashdotted, our server load can be rather high. And this is a 
fairly low end VM we're running it off.
> 
> Evan Daniel


signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Arne Babenhauserheide]

Am Freitag, 9. März 2012, 23:25:17 schrieb Nicolas Hernandez:
> Https can be forbidden in some countries. It is important to have the
> possibility to disable it.

It could also be broken in some users systems. I had a few weeks last year in
which I could not access any https site (library broken, I guess it was a
power-failure on update).

Best wishes,
Arne

signature.asc
Description: This is a digitally signed message part.
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Ximin Luo]

Do you have some examples?

On 09/03/12 22:25, Nicolas Hernandez wrote:
> Https can be forbidden in some countries. It is important to have the
> possibility to disable it.
> 
> Le 9 mars 2012 22:45, "Ximin Luo"  > a écrit :
> 
> +1
> 
> On 09/03/12 21:37, Evan Daniel wrote:
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> > mailto:nextg...@freenetproject.org>> 
> wrote:
> >> Hi,
> >>
> >> I've been doing some sysadmin tonight:
> >>- re-enabled ipv6 on all services
> >>- updated the DNS records (SPF, ...)
> >>- deployed a valid certificate on postfix
> >>
> >> Let me know if I broke something.
> >>
> >> I was wondering, do we have any good reason not to switch the various
> websites to HTTPS only? (with a 301 redirect on HTTP)
> >
> > Awesome, thanks!
> >
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> >
> > Evan Daniel
> > ___
> > Devl mailing list
> > Devl@freenetproject.org 
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> 
> 
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
> 
> 
> ___
> Devl mailing list
> Devl@freenetproject.org 
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
> 
> 
> 
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0



signature.asc
Description: OpenPGP digital signature
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Nicolas Hernandez]

Https can be forbidden in some countries. It is important to have the
possibility to disable it.
Le 9 mars 2012 22:45, "Ximin Luo"  a écrit :

> +1
>
> On 09/03/12 21:37, Evan Daniel wrote:
> > On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
> >  wrote:
> >> Hi,
> >>
> >> I've been doing some sysadmin tonight:
> >>- re-enabled ipv6 on all services
> >>- updated the DNS records (SPF, ...)
> >>- deployed a valid certificate on postfix
> >>
> >> Let me know if I broke something.
> >>
> >> I was wondering, do we have any good reason not to switch the various
> websites to HTTPS only? (with a 301 redirect on HTTP)
> >
> > Awesome, thanks!
> >
> > I'm in favor of https only. The only real arguments against it are
> > probably server cpu load. I assume that given our traffic levels,
> > that's not likely to be an issue?
> >
> > Evan Daniel
> > ___
> > Devl mailing list
> > Devl@freenetproject.org
> > http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
>
> --
> GPG: 4096R/5FBBDBCE
> https://github.com/infinity0
> https://bitbucket.org/infinity0
> https://launchpad.net/~infinity0
>
>
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl
>
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Ximin Luo]

+1

On 09/03/12 21:37, Evan Daniel wrote:
> On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
>  wrote:
>> Hi,
>>
>> I've been doing some sysadmin tonight:
>>- re-enabled ipv6 on all services
>>- updated the DNS records (SPF, ...)
>>- deployed a valid certificate on postfix
>>
>> Let me know if I broke something.
>>
>> I was wondering, do we have any good reason not to switch the various 
>> websites to HTTPS only? (with a 301 redirect on HTTP)
> 
> Awesome, thanks!
> 
> I'm in favor of https only. The only real arguments against it are
> probably server cpu load. I assume that given our traffic levels,
> that's not likely to be an issue?
> 
> Evan Daniel
> ___
> Devl mailing list
> Devl@freenetproject.org
> http://freenetproject.org/cgi-bin/mailman/listinfo/devl


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0



signature.asc
Description: OpenPGP digital signature
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] Should we switch the websites to httpS only?

[Evan Daniel]

On Fri, Mar 9, 2012 at 4:21 PM, Florent Daigniere
 wrote:
> Hi,
>
> I've been doing some sysadmin tonight:
>        - re-enabled ipv6 on all services
>        - updated the DNS records (SPF, ...)
>        - deployed a valid certificate on postfix
>
> Let me know if I broke something.
>
> I was wondering, do we have any good reason not to switch the various 
> websites to HTTPS only? (with a 301 redirect on HTTP)

Awesome, thanks!

I'm in favor of https only. The only real arguments against it are
probably server cpu load. I assume that given our traffic levels,
that's not likely to be an issue?

Evan Daniel
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] Should we switch the websites to httpS only?

[Florent Daigniere]

Hi,

I've been doing some sysadmin tonight:
- re-enabled ipv6 on all services
- updated the DNS records (SPF, ...)
- deployed a valid certificate on postfix

Let me know if I broke something.

I was wondering, do we have any good reason not to switch the various websites 
to HTTPS only? (with a 301 redirect on HTTP)

Florent
___
Devl mailing list
Devl@freenetproject.org
http://freenetproject.org/cgi-bin/mailman/listinfo/devl