OpenBSD Foundation on HTTPS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD Foundation on HTTPS

Hess THR
Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
supports HTTPS, while in 2017 Dec, ~70% of the websites does:
https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
BTW, wow:
https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Hess THR
Hello,

because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS

going to apache/iis/nginx/linux will not increase "security". since they have very buggy code.

but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base?


> Sent: Friday, December 15, 2017 at 12:11 PM
> From: "Vivek Vinod" <[hidden email]>
> To: "Hess THR" <[hidden email]>
> Subject: Re: OpenBSD Foundation on HTTPS
>
> 1) Why do you want https support?
> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift to IIS as well? Wait, I guess more people use Linux, so we should stop using OpenBSD all together.
>  
>
> -----Original Message-----
> From: <[hidden email]> on behalf of Hess THR <[hidden email]>
> Date: Friday, 15 December 2017 at 4:20 PM
> To: <[hidden email]>, <[hidden email]>
> Subject: OpenBSD Foundation on HTTPS
>
>     Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
>     supports HTTPS, while in 2017 Dec, ~70% of the websites does:
>     https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
>     the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
>     HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
>     BTW, wow:
>     https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Ian Sutton-2
Hi,

There is no need. There is nothing secret on those web servers, there
is no logical reason to encrypt it. This issue has been discussed to
death. Please check archives.

Ian

On Tue, Feb 6, 2018 at 4:03 AM, Hess THR <[hidden email]> wrote:

> Hello,
>
> because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS
>
> going to apache/iis/nginx/linux will not increase "security". since they have very buggy code.
>
> but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base?
>
>
>> Sent: Friday, December 15, 2017 at 12:11 PM
>> From: "Vivek Vinod" <[hidden email]>
>> To: "Hess THR" <[hidden email]>
>> Subject: Re: OpenBSD Foundation on HTTPS
>>
>> 1) Why do you want https support?
>> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift to IIS as well? Wait, I guess more people use Linux, so we should stop using OpenBSD all together.
>>
>>
>> -----Original Message-----
>> From: <[hidden email]> on behalf of Hess THR <[hidden email]>
>> Date: Friday, 15 December 2017 at 4:20 PM
>> To: <[hidden email]>, <[hidden email]>
>> Subject: OpenBSD Foundation on HTTPS
>>
>>     Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
>>     supports HTTPS, while in 2017 Dec, ~70% of the websites does:
>>     https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
>>     the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
>>     HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
>>     BTW, wow:
>>     https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Hess THR
troll on

hey, yeah, you are absolutely right!

no one would ever modify (since plain http) the example.:

http://www.openbsdfoundation.org/donations.html

page, where are the PayPal donation links, bitcoin donation links are, without anybody noticing!

Why would someone do something like this? we live in a perfect world without bad people! yay pink ponies!

troll off


> Sent: Tuesday, February 06, 2018 at 12:23 PM
> From: "Ian Sutton" <[hidden email]>
> To: "Hess THR" <[hidden email]>
> Cc: "[hidden email]" <[hidden email]>
> Subject: Re: OpenBSD Foundation on HTTPS
>
> Hi,
>
> There is no need. There is nothing secret on those web servers, there
> is no logical reason to encrypt it. This issue has been discussed to
> death. Please check archives.
>
> Ian
>
> On Tue, Feb 6, 2018 at 4:03 AM, Hess THR <[hidden email]> wrote:
> > Hello,
> >
> > because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS
> >
> > going to apache/iis/nginx/linux will not increase "security". since they have very buggy code.
> >
> > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base?
> >
> >
> >> Sent: Friday, December 15, 2017 at 12:11 PM
> >> From: "Vivek Vinod" <[hidden email]>
> >> To: "Hess THR" <[hidden email]>
> >> Subject: Re: OpenBSD Foundation on HTTPS
> >>
> >> 1) Why do you want https support?
> >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift to IIS as well? Wait, I guess more people use Linux, so we should stop using OpenBSD all together.
> >>
> >>
> >> -----Original Message-----
> >> From: <[hidden email]> on behalf of Hess THR <[hidden email]>
> >> Date: Friday, 15 December 2017 at 4:20 PM
> >> To: <[hidden email]>, <[hidden email]>
> >> Subject: OpenBSD Foundation on HTTPS
> >>
> >>     Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't
> >>     supports HTTPS, while in 2017 Dec, ~70% of the websites does:
> >>     https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for
> >>     the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got
> >>     HTTPS yet? I whish you happy holidays and again, Thanks for all the work!
> >>     BTW, wow:
> >>     https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
> >>
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Charlie Eddy
agreed - using HTTP instead of HTTPS is a great way to encourage that
activity, and since I love having my head in the sand like an ostrich I
encourage us to not encrypt the donation links to the most secure operating
system available to the public. That way we can't donate securely to the
foundation we support - the sand is great from down here

On Tue, Feb 6, 2018 at 3:32 AM, Hess THR <[hidden email]> wrote:

> troll on
>
> hey, yeah, you are absolutely right!
>
> no one would ever modify (since plain http) the example.:
>
> http://www.openbsdfoundation.org/donations.html
>
> page, where are the PayPal donation links, bitcoin donation links are,
> without anybody noticing!
>
> Why would someone do something like this? we live in a perfect world
> without bad people! yay pink ponies!
>
> troll off
>
>
> > Sent: Tuesday, February 06, 2018 at 12:23 PM
> > From: "Ian Sutton" <[hidden email]>
> > To: "Hess THR" <[hidden email]>
> > Cc: "[hidden email]" <[hidden email]>
> > Subject: Re: OpenBSD Foundation on HTTPS
> >
> > Hi,
> >
> > There is no need. There is nothing secret on those web servers, there
> > is no logical reason to encrypt it. This issue has been discussed to
> > death. Please check archives.
> >
> > Ian
> >
> > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR <[hidden email]> wrote:
> > > Hello,
> > >
> > > because HTTPS increases the authenticity, integrity, privacy:
> https://en.wikipedia.org/wiki/HTTPS
> > >
> > > going to apache/iis/nginx/linux will not increase "security". since
> they have very buggy code.
> > >
> > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
> the code in the base?
> > >
> > >
> > >> Sent: Friday, December 15, 2017 at 12:11 PM
> > >> From: "Vivek Vinod" <[hidden email]>
> > >> To: "Hess THR" <[hidden email]>
> > >> Subject: Re: OpenBSD Foundation on HTTPS
> > >>
> > >> 1) Why do you want https support?
> > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
> we shift to IIS as well? Wait, I guess more people use Linux, so we should
> stop using OpenBSD all together.
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: <[hidden email]> on behalf of Hess THR <
> [hidden email]>
> > >> Date: Friday, 15 December 2017 at 4:20 PM
> > >> To: <[hidden email]>, <[hidden email]>
> > >> Subject: OpenBSD Foundation on HTTPS
> > >>
> > >>     Hello, Just noticed that the: http://www.openbsdfoundation.org/
> doesn't
> > >>     supports HTTPS, while in 2017 Dec, ~70% of the websites does:
> > >>     https://letsencrypt.org/stats/#percent-pageloads Can we have
> HTTPS for
> > >>     the OpenBSD Foundation? Which Official OpenBSD related domain
> hasn't got
> > >>     HTTPS yet? I whish you happy holidays and again, Thanks for all
> the work!
> > >>     BTW, wow:
> > >>     https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
> donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
> > >>
> > >
> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Daniel Ouellet
Come on guys.

If you actually donate and click on any links there you would see it
bring you to a secure page.

No need to have this one https type really there isn't any information
you enter on it...

I guess the sand is way more think some places then others....

Must be nice beaches there and pretty bikini too I hope!


On 2/6/18 1:03 PM, Charlie Eddy wrote:

> agreed - using HTTP instead of HTTPS is a great way to encourage that
> activity, and since I love having my head in the sand like an ostrich I
> encourage us to not encrypt the donation links to the most secure operating
> system available to the public. That way we can't donate securely to the
> foundation we support - the sand is great from down here
>
> On Tue, Feb 6, 2018 at 3:32 AM, Hess THR <[hidden email]> wrote:
>
>> troll on
>>
>> hey, yeah, you are absolutely right!
>>
>> no one would ever modify (since plain http) the example.:
>>
>> http://www.openbsdfoundation.org/donations.html
>>
>> page, where are the PayPal donation links, bitcoin donation links are,
>> without anybody noticing!
>>
>> Why would someone do something like this? we live in a perfect world
>> without bad people! yay pink ponies!
>>
>> troll off
>>
>>
>>> Sent: Tuesday, February 06, 2018 at 12:23 PM
>>> From: "Ian Sutton" <[hidden email]>
>>> To: "Hess THR" <[hidden email]>
>>> Cc: "[hidden email]" <[hidden email]>
>>> Subject: Re: OpenBSD Foundation on HTTPS
>>>
>>> Hi,
>>>
>>> There is no need. There is nothing secret on those web servers, there
>>> is no logical reason to encrypt it. This issue has been discussed to
>>> death. Please check archives.
>>>
>>> Ian
>>>
>>> On Tue, Feb 6, 2018 at 4:03 AM, Hess THR <[hidden email]> wrote:
>>>> Hello,
>>>>
>>>> because HTTPS increases the authenticity, integrity, privacy:
>> https://en.wikipedia.org/wiki/HTTPS
>>>>
>>>> going to apache/iis/nginx/linux will not increase "security". since
>> they have very buggy code.
>>>>
>>>> but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
>> the code in the base?
>>>>
>>>>
>>>>> Sent: Friday, December 15, 2017 at 12:11 PM
>>>>> From: "Vivek Vinod" <[hidden email]>
>>>>> To: "Hess THR" <[hidden email]>
>>>>> Subject: Re: OpenBSD Foundation on HTTPS
>>>>>
>>>>> 1) Why do you want https support?
>>>>> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
>> we shift to IIS as well? Wait, I guess more people use Linux, so we should
>> stop using OpenBSD all together.
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: <[hidden email]> on behalf of Hess THR <
>> [hidden email]>
>>>>> Date: Friday, 15 December 2017 at 4:20 PM
>>>>> To: <[hidden email]>, <[hidden email]>
>>>>> Subject: OpenBSD Foundation on HTTPS
>>>>>
>>>>>     Hello, Just noticed that the: http://www.openbsdfoundation.org/
>> doesn't
>>>>>     supports HTTPS, while in 2017 Dec, ~70% of the websites does:
>>>>>     https://letsencrypt.org/stats/#percent-pageloads Can we have
>> HTTPS for
>>>>>     the OpenBSD Foundation? Which Official OpenBSD related domain
>> hasn't got
>>>>>     HTTPS yet? I whish you happy holidays and again, Thanks for all
>> the work!
>>>>>     BTW, wow:
>>>>>     https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
>> donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
>>>>>
>>>>
>>>
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Denis Fondras
> If you actually donate and click on any links there you would see it
> bring you to a secure page.
>

But is this the right link ? Can I update the value of "hosted_button_id" and
send you to my Paypal account ?

Denis

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Tom Atkinson
In reply to this post by Daniel Ouellet
Whilst that might seem like a fair argument, what would happen if I man
in the middled your request for the http page? I could easily change the
links to point to my malicious site, and with certificates being so easy
to get, it would be relatively easy to make it look authentic as far as
the "you end up on a secure page" argument goes and, given the quality of
some spearphishing, the appearance of the page as well. Of course, none
of that would be possible if all of the pages were TLS encrypted.
Tom
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Charlie Eddy
In reply to this post by Denis Fondras
"Can I update the value of "hosted_button_id" and
send you to my Paypal account ?"

this

is much cleaner, more logical, more formal, and more sensible than

"No need to have this one https type really there isn't any information
you enter on it..."

On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondras <[hidden email]> wrote:

> > If you actually donate and click on any links there you would see it
> > bring you to a secure page.
> >
>
> But is this the right link ? Can I update the value of "hosted_button_id"
> and
> send you to my Paypal account ?
>
> Denis
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Stuart Henderson
In reply to this post by Daniel Ouellet
On 2018-02-06, Daniel Ouellet <[hidden email]> wrote:

> Come on guys.
>
> If you actually donate and click on any links there you would see it
> bring you to a secure page.
>
> No need to have this one https type really there isn't any information
> you enter on it...
>
> I guess the sand is way more think some places then others....
>
> Must be nice beaches there and pretty bikini too I hope!

Just because some payment processors somehow manage to get that
iframe-served-by-insecure-site crap through pci-dss doesn't mean
it's safe. Pages redirecting/linking/posting to or <iframe>-embedding
payment pages have just as high a security requirement as the
payment pages themselves. You don't want them to be intercepted
and modified.

> On 2/6/18 1:03 PM, Charlie Eddy wrote:
>> agreed - using HTTP instead of HTTPS is a great way to encourage that
>> activity, and since I love having my head in the sand like an ostrich I
>> encourage us to not encrypt the donation links to the most secure operating
>> system available to the public. That way we can't donate securely to the
>> foundation we support - the sand is great from down here

If you don't trust the forms, you can use [hidden email]
directly.


Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Charlie Eddy
thank you for providing that email address, case closed as far as I'm
concerned
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Jonathan Thornburg-3
In reply to this post by Hess THR
From  http://www.openbsdfoundation.org/donations.html :
>  Donations may be made by cheque in CAD/EUR/USD funds to:
>
>     The OpenBSD Foundation
>     8101 160 Street
>     Edmonton, Alberta, Canada
>     T5R 2G9

Without https, how can one verify that that is the correct address?

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Jeroen
In reply to this post by Charlie Eddy
As far as I am concerned, HTTPS by itself doesn't do miracles. It
involved more tech. Unless you can hack the global web infra, it's only
possible to change this on a local network. Wouldn't there be more
interesting targets in such situations?

Don't get me wrong, I am not trying to downplay the lack of HTTPS. But
I do understand why this has no priority whatsoever. Proper HTTPS is
more than work than running ACME to get a certificate issued. DANE,
CAA, etc.

On Tue, 2018-02-06 at 15:43 -0800, Charlie Eddy wrote:

> "Can I update the value of "hosted_button_id" and
> send you to my Paypal account ?"
>
> this
>
> is much cleaner, more logical, more formal, and more sensible than
>
> "No need to have this one https type really there isn't any
> information
> you enter on it..."
>
> On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondras <[hidden email]>
> wrote:
>
> > > If you actually donate and click on any links there you would see
> > > it
> > > bring you to a secure page.
> > >
> >
> > But is this the right link ? Can I update the value of
> > "hosted_button_id"
> > and
> > send you to my Paypal account ?
> >
> > Denis
> >
> >

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Jeroen
In reply to this post by Jonathan Thornburg-3
With HTTPS, can you be sure that the server isn't comprimised? With or
without HTTPS, it's always a good idea to check wether the address is
correct (a foundation has to be registered and at other places).

On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote:

> From  http://www.openbsdfoundation.org/donations.html :
> >  Donations may be made by cheque in CAD/EUR/USD funds to:
> >
> >     The OpenBSD Foundation
> >     8101 160 Street
> >     Edmonton, Alberta, Canada
> >     T5R 2G9
>
> Without https, how can one verify that that is the correct address?
>
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Charlie Eddy
Hello Jonathan Thornburg,

That is quite simple. The post will work.

https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612

Regards,

On Wed, Feb 7, 2018 at 6:42 AM, Jeroen <[hidden email]> wrote:

> With HTTPS, can you be sure that the server isn't comprimised? With or
> without HTTPS, it's always a good idea to check wether the address is
> correct (a foundation has to be registered and at other places).
>
> On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote:
> > From  http://www.openbsdfoundation.org/donations.html :
> > >  Donations may be made by cheque in CAD/EUR/USD funds to:
> > >
> > >     The OpenBSD Foundation
> > >     8101 160 Street
> > >     Edmonton, Alberta, Canada
> > >     T5R 2G9
> >
> > Without https, how can one verify that that is the correct address?
> >
> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Hess THR
Hello,

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

"Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”."

so:
http://www.openbsdfoundation.org/
http://firmware.openbsd.org/firmware/
any mirror that still uses just http, not https, pkg_* should only allow https communication
any other?

also, default redirect to HTTPS should be advisable

HTTPS would provide integrity, privacy, authenticity.

Have a great weekend!

ps.: OpenBSD team is great! I am just advising that it would be better to use HTTPS.


> Sent: Thursday, February 08, 2018 at 12:37 AM
> From: "Charlie Eddy" <[hidden email]>
> To: [hidden email]
> Cc: "Jonathan Thornburg" <[hidden email]>, [hidden email]
> Subject: Re: OpenBSD Foundation on HTTPS
>
> Hello Jonathan Thornburg,
>
> That is quite simple. The post will work.
>
> https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612
>
> Regards,
>
> On Wed, Feb 7, 2018 at 6:42 AM, Jeroen <[hidden email]> wrote:
>
> > With HTTPS, can you be sure that the server isn't comprimised? With or
> > without HTTPS, it's always a good idea to check wether the address is
> > correct (a foundation has to be registered and at other places).
> >
> > On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote:
> > > From  http://www.openbsdfoundation.org/donations.html :
> > > >  Donations may be made by cheque in CAD/EUR/USD funds to:
> > > >
> > > >     The OpenBSD Foundation
> > > >     8101 160 Street
> > > >     Edmonton, Alberta, Canada
> > > >     T5R 2G9
> > >
> > > Without https, how can one verify that that is the correct address?
> > >
> > >
> >
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Kevin Chadwick-4
On Fri, 9 Feb 2018 12:35:25 +0100


> https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
>
> "Beginning in July 2018 with the release of Chrome 68, Chrome will
> mark all HTTP sites as “not secure”."
           ^^^^^^^^^^

HTTP pages!

And they admit the choice of words is poor but they can't think of any
accurate ones that would have the desired affect.

They should probably get rid of the certificate lifetime limits first
else any laptop (likely an older generation) who's bios battery has died
will now be DOS from the internet with the other changes already
brought in.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD Foundation on HTTPS

Kevin Chadwick-4
In reply to this post by Hess THR
On Fri, 9 Feb 2018 12:35:25 +0100


> also, default redirect to HTTPS should be advisable

The important thing is using secure cookies for logins. Otherwise SSL
is less secure. It is required if authenticity of page content is
beneficial of course. The performance claims are also fine and dandy if
you have Googles money for newer processors or use cloud services, I
guess? Anyone know if there are any cost implications of cloud SSL,
cycle counts etc. or Intel AES-NI saves money in the cloud even?