HTTPS support

[Barade]

Hey, I was just wondering why the website does not offer HTTPS support? Shouldn't be that hard to implement with Let's Encrypt or something similar?

 

[Dr Super Good]

Hey, I was just wondering why the website does not offer HTTPS support? Shouldn't be that hard to implement with Let's Encrypt or something similar?

Should not be hard to implement, but also not free. You need a valid security certificate to use HTTPS and those usually have an associated yearly cost.

 

[Ralle]

Hey Barade, thanks for the suggestion .

Let's Encrypt is free by the way. You need to read up on it DSG .

I have been working on integrating it for about a week now. I am almost ready to roll it out. Just need a little more time. We need this soon, especially now that Chrome and Firefox will start to report websites as unsafe without HTTPS.
I am using Docker for the site, so I need to jump through a few hoops to make it work excellent across restarts and make it configurable through environment variables.

 

[pyf]

Brought as a public service:
- Let's Encrypt - Wikipedia
- Let's Encrypt - Free SSL/TLS Certificates

 

[Dr Super Good]

Let's Encrypt is free by the way. You need to read up on it DSG .

All I know about certificates comes from signing Windows drivers and software. You need a valid encryption key from a key provider to sign such files. Programs without such signing will show a warning to the user when first run and drivers without such signing will not be able to be installed at all on modern Windows OS. I thought these were the same/similar keys to what HTTPS used, however apparently not.

 

[pyf]

@Ralle : an interesting site imho:
Qualys SSL Labs

Their SSL Server Test free online service might come in handy at some point
SSL Server Test (Powered by Qualys SSL Labs)

 

[Ralle]

Hey pyf,
Thanks for the link. My favorite podcast mentions it often, so I am familiar with it already. Yeah, we should probably get the highest score there when that time comes. The only thing is, we might need to support Windows XP. I will need to look at out browser statistics to see if nobody is using a very old version of IE. I will find a sweet spot and settle there.

 

[pyf]

The only thing is, we might need to support Windows XP. I will need to look at out browser statistics to see if nobody is using a very old version of IE. I will find a sweet spot and settle there.

It should be possible to support the IE8+XP combo by using TLS 1.0 / 3DES, but idk whether it will degrade the overall 'security score' of a web site or not.

This is how to do it (in French):
SSL et (Perfect) Forward Secrecy

Spoiler: Google Translate to the rescue! :D

QnD CnP

[...]
"To allow even when Windows XP users to access our site ( or 18.91% of the IT park in May 2014 according statcounter ) we will add a cipher "not too rotten" to allow all clients to connect to our site, which I reminds you, has been configured to be accessible only over HTTPS.

You can also decide that users of XP will disappear, and the search engine Russian Yondex does not interest you, and do not add this to your list cipher to you ... But personally I prefer that everyone can access (especially as the error message in IE / XP is unclear!)

Looking at the detail of what is available in the "less competent" three ( Yandex ) shows two lines of RC4 and 3DES line. Good thing IE6 / XP and IE8 / XP also support the same line 3DES: TLS_RSA_WITH_3DES_EDE_CBC_SHA. A search for the name in 'man cipher' indicates that the OpenSSL side equivalent name for the cipher is DES-CBC3-SHA.

So we will add it at the very end of our parameter 'ssl.ssl.cipher-list'

ssl.cipher-list = "EECDH:EDH:!eNULL:!RC4:!DES:@STRENGTH:DES-CBC3-SHA"

In this way being very last one will have the following behavior:

• the "able" customers will continue to use the best versions "compatible PFS"
• incompatible customers will choose the latter, and will always connect (without PFS)

Server configuration to the new one charging ( service lighttpd restart), and the SSL configuration is retested by clicking on "Clear Cache" on top of the result page of Qualys SSL Labs .

We get the following result:
[...]
Everyone correctly accesses our site, all who are able to benefit from the PFS feature, bingo you win!"

Please note I would personally ditch support for the IE8+XP combo.


Fyi, this is what abuse.ch did more than one year ago:
SSL Server Test: zeustracker.abuse.ch (Powered by Qualys SSL Labs)
- IE 6 / XP: No FS, No SNI - Server closed connection
- IE 8 / XP: No FS, No SNI - Server sent fatal alert: handshake_failure

XP users can still visit the site / download their blocklists, by using FF / Chrome / Opera (Next) or their derivatives. But they can not download / install them automatically anymore on XP by using HostsMan.

This is because HostsMan relies on the outdated schannel.dll, which is a part of IE / Windows, for its secure connection.


A (very) theoretical workaround for XP + IE8 users might be to find a way to make Camellia work for IE8, but idk how to do it. In fact, it might not be possible at all?

Both Camellia's reputation and availability are very unclear to me atm.


** update **

SSL Labs Grading Changes January 2017

 

[Ralle]

You are very useful. Thank you so much for sharing all of this .

 

[pyf]

You are welcome.

I had done all this research more than a year ago, because of the issues on XP with HostsMan and the ZeuS hostlist from zeustracker.abuse.ch since their server upgrade.

Some additional info:
IE Supported Cipher Suites · client9/sslassert Wiki · GitHub

...and for the fun of it, this is why nobody should try to use IE8 on XP anymore:
Qualys SSL Labs - Projects / User Agent Capabilities: IE 8 / XP

 

[Ralle]

About 4% of our users use Windows XP. And here is our browser breakdown:

This is impressive. Our users are above average sophistication. Average people don't know to install another browser as far as I know.

What the fuck is Coc Coc?

 

[Dr Super Good]

This is impressive. Our users are above average sophistication. Average people don't know to install another browser as far as I know.

They normally only install Chrome or FireFox. So it fits the trend...

Edge is Windows 10 only so its low percentage will probably be similar to the low percentage of Windows 10 users. Since edge was designed to supersede Internet Explorer one really has to count those two together, not that it matters much.

What the fuck is Coc Coc?

Cốc Cốc browser (previously Cờ Rôm+) is a freeware web browser focused on the Vietnamese market, developed by Vietnamese company Cốc Cốc and based on Chromium open source code,[1] which is the same platform used by Google Chrome, Opera, and Comodo Dragon. Cốc Cốc is available for the Windows, Windows Phone and the OSX operating systems[2][3] and supports both English and Vietnamese.[4]

It is basically chrome more heavily adapted for Vietnam. Its adds features like reverse DNS lookup to get around DNS level website blocking, automatic "tone" guessing for Vietnamese text, improved Vietnamese spell checking, English to Vietnamese translation, support to download streamed media (common sources like YouTube, will probably fail on DRM sources like IPlayer), the ability to use multiple TCP streams to download a file and partial download resuming if supported by website.

Basically a whole lot of features which are completely useless to anyone who is not Vietnamese or who lives outside of Vietnam.

Some of the features even have questionable computer ethics... Creating multiple TCP streams to speed up a file download is deliberately passing upload rate restrictions of the source server. Not only does this make the server use more resources but also can degrade the quality of service provided to other users at times of high load. Downloading stream media is also questionable ethics because the providers often do not want you to retain a persistent copy of the media, hence why YouTube lacks a native "download" button.

 

[pyf]

About 4% of our users use Windows XP. And here is our browser breakdown:
View attachment 260427

This is impressive. Our users are above average sophistication. Average people don't know to install another browser as far as I know. [...]

Fyi here is the breakdown over time, of OSes on which some sort of Unity game/editor is/was installed:
Unity - Standalone Hardware Stats (more 'gamer' oriented stats?)
Unity - Editor Hardware Stats (more 'modder' oriented stats?)


Regarding the browser breakdown, as @Dr Super Good said, it fits the trend.

A few years ago, I remember the browser market share of Firefox was a tad below 20%, and it was keeping eroding slowly over the years.
Opera users have been around 2.5% for years afaik, and Opera Next did not change that afaik.
Google Chrome has steadily been on the rise, while IE's market share kept decreasing at the same time. I am pointing out, there have been numerous (3 at least) large-scale ad campaigns for Google Chrome on French TV over the last years.


Out of curiosity, what about mobile devices?

Also, it might be interesting to know how many Hive members with Windows 10 installed, actually use Edge.

 

[Ralle]

I didnøt look at mobile stats because most smartphones are pretty new and support the latest TLS versions.

 

[pyf]

A bit of browser testing, for those interested

OS: XP SP3
Site used: How's My SSL?


Pale Moon 26.5.0 (Atom/XP version)

Spoiler

Probably OK

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

Opera Next 36.0.2130.80

Spoiler

Probably OK

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Firefox 51.0.1

Spoiler

Probably OK

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Google Chrome 49.0.2623.112

Spoiler

Probably OK

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Opera 12.18 build 1872

Spoiler: baseline install

Opera 12.18 should have enabled TLS 1.1 and 1.2 as well

Bad
- Version: bad (TLS 1.0)
- Session ticket support: improvable

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Spoiler: after a bit of config

After manually activating TLS 1.1 and 1.2 as well in the Advanced Preferences menu, and even though Strict Transport Security support is already activated in opera:config, we now get:

Improvable
- Session ticket support: improvable

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

IE8 v8.0.6001.18702

Spoiler

Bad
- Version: bad (TLS 1.0)
- Session ticket support: improvable
- BEAST vulnerability: bad
- Insecure cipher suites: bad [note: too many to list]

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

People with an IE version other than v11 should read this, *especially* XP users:
Microsoft Security Advisory 3009008

The automated Microsoft Fix it solution to disable SSL 3.0 in IE only can be downloaded from here.
Again, those with IE11 installed (and an updated OS) do not need it.

Do note this Fix it was released *after* XP officially went EoL in April 2014.
The Fix it solutions require Microsoft Powershell.

didnøt

 

[Ralle]

Okay done.

 

[pyf]

For those interested:
SSL Server Test: www.hiveworkshop.com (Powered by Qualys SSL Labs)

@Ralle:

 

[Ralle]

Thanks

EDIT: Oh, just noticed. The smilies get served over HTTP:// gotta fix that!

 

[Dr Super Good]

Now we can be sure that our Warcraft III related messages and data will not be intercepted by man in the middle or impersonation attacks! Not like that was ever a problem or concern...

 

[Deleted member 219079]

Now we can be sure that our Warcraft III related messages and data will not be intercepted by man in the middle or impersonation attacks! Not like that was ever a problem or concern...

Having a board where you could write as anonymous, that is, without login, would be cool as well. I think quests were a thing?

 

[Ralle]

It is most definitely a concern when you are on an open wireless access point. People wanting to do you harm want to do you harm no matter the site you're visiting as long as it's not HTTPS.

 

[pyf]

Now we can be sure that our Warcraft III related messages and data will not be intercepted by man in the middle or impersonation attacks! Not like that was ever a problem or concern...

It is also a matter of moving with the times. Quoting Ralle:

"We need this soon, especially now that Chrome and Firefox will start to report websites as unsafe without HTTPS."

@Dr Super Good: out of curiosity, is there a reason any site should continue to use HTTP only nowadays?

 

[Dr Super Good]

It is most definitely a concern when you are on an open wireless access point. People wanting to do you harm want to do you harm no matter the site you're visiting as long as it's not HTTPS.

You must know some really bad people for that to be a problem... As far as I am aware there is no personal gain to be made at Hive Workshop and as such most hackers will not care and class such traffic as junk to be ignored. It is like one talking about how cute cats are in public to a friend, other people can listen in but they stand to gain nothing and you have nothing to hide.

@Dr Super Good: out of curiosity, is there a reason any site should continue to use HTTP only nowadays?

Someone which does not want to have to deal with the complexities of a 2-3 page certificate? One could put a carbon value to all the extra computation needed for the encryption and decryption and checking but I will not bother as that is trivial compared with other sources at the moment. Some people could argue that outside of really personal matters (online banking, stuff that has financial worth etc) should one be hiding what you are saying?

 

[Ralle]

Some people could argue that outside of really personal matters (online banking, stuff that has financial worth etc) should one be hiding what you are saying?

For sure. Why would anybody but you and the server need to see your traffic? For spying on you? And now let's move to Medivh's tower to discuss whether spying on people is good or bad.

Oh and by the way. We are running HTTP2 now. Going from HTTP to HTTPS slows down page loads, however HTTP2 (which is also HTTPS) is faster than standard HTTP, so even if you don't care about encryption, you will load pages faster than in the past if your browser supports HTTP2.

 

[pyf]

As far as I am aware there is no personal gain to be made at Hive Workshop [...]. It is like one talking about how cute cats are in public to a friend, other people can listen in but they stand to gain nothing and you have nothing to hide.

Some people could argue that outside of really personal matters (online banking, stuff that has financial worth etc) should one be hiding what you are saying?

Some people do seriously care for the privacy and security of discussions about how cute cats are:
How to Deploy HTTPS Correctly
Encrypting the Web

 

[Dr Super Good]

Will the server key automatically renew in 3 months time? Or does someone have to manually renew it?

 

[pyf]

Depends...
Getting Started - Let's Encrypt - Free SSL/TLS Certificates

 

[Ralle]

It attempts to do so automatically every 24 hours but will only succeed after 60 days.