Does SMF 2.0.2 support SSL/HTTPS?

[Suki]

Well, Chrome has already took some steps into this direction too

I've been looking at the comments on that article, the vast majority centers their opinion on "certs aren't that expensive anymore"...  which is insane!  not everyone lives in the US and/or western Europe!  come on!

Other responses includes using third party services like startssl or "Let's Encrypt"  which doesn't really helps  the millions and millions of shared hostings accounts all over the freaking world!

Surely webhosting companies will simply not bother to make any changes unless strictly necessary.

what will happen if  "Let's Encrypt" goes down?  centralizing your security doesn't seems like a great idea, this now means that if any attacker manages to bring down Let's Encrypt, millions of other websites will be affected too, sounds pretty tempting right?


How about  localhost?   another common response is: " it's trivial to generate self-signed certificate and import it"  well, yeah, for you it is, what about people who wants to start their first webpage?  do they now have to be masters of the CL in other to run a single painfully badly written HTML page?

"But you can still use HTTP!"

To an extend yes...  if you want the full package (running https) then you will have to pay money to get it, sounds a lot like those pesky facebook games where you can "play for free" but are constantly annoyed by the game maker to spend money to get "the real good stuff".  In essence, it all comes down to a new type of "segregation", those with money can still happily live in da interwebz ever after!  those that do not, well you can go back to regular snail mail, play monopoly and all those other stuff that you did before you were online.

So, whats going to be the next step? forcing users to have CA on their selves?  that surely sounds quite handy for some government organizations though.

I'm pretty sure Mozilla did this because there are other competitors going into similar paths (otherwise it pretty much is a commercial suicide given the current share market Firefox has) so, sadly, it seems this is here to stay.

[vbgamer45]

Just seems like going to cause chaos. I have hundreds of domains personally. And my company has thousands. If I will have to get a cert even a self signed one for each going to be a huge pain to maintain everything. Then when you have update each one.
If the process was easier maybe but right now it takes a lot time to setup and configure correctly.  Most sites don't even have a good SSL setup due to open ssl holes etc https://www.ssllabs.com/ssltest/

[badon]

I agree about all the issues everyone has raised about Firefox's decision. I think the way they currently handle things is clunky and very annoying too. However, I am optimistic about the future, and I think this is still a step in the right direction. I agree that today's way of doing things will not work out well if Firefox's future plans were fully implemented today, but those fears are premature in my opinion. Just to give you an idea of how painless this could be, try the Perspectives add-on for Firefox:

https://www.google.com/search?q=firefox+perspectives

It will automatically bypass warnings about a self-signed certificate if it is known that the same certificate has been in used for a long time. That is only one of the many ways it improves on the way things are normally done today. Other things that need to be improved, as has already been mentioned, is that certificates need to be able to work for shared hosting websites. That is a solvable problem. All of the issues raised here are solvable problems. Even vbgamer45's complaint about the inconvenience of maintaining certificates is a solvable problem. Such things can be automated in a new era where HTTPS is the only way things should be done.

Instead of complaining about why such ideas won't work NOW, I suggest being part of the solution by participating in the efforts to make it work in the FUTURE. The "no-can-do" attitude is wrong. It CAN be done, and none of the "no-can-do" reasons given so far are technically infeasible to fix.

[Suki]

Sorry badon but your "suggestion" just doesn't make any sense as it requires everyone to install that add-on which is simple non-realistic.

And nope, this concerns aren't premature,  google's chrome already took steps into this direction.

You said everything raised here is solvable but doesn't provide any solution. Please DO provide examples on how this can be easily solved.


You are also forgetting that going to full https doesn't even solve all the security issues that has been raised over the years, like China issuing inappropriate or questionable certificates or the fact that firefox itself quite happily accepts pretty questionable CA certificates but discourages the only truly free and open source, which is quite ironic!

Sorry badon but this is beyond been "painless" and this issue cannot be solved by merely installing an add-on. It goes deeper than you might think and will have tons of repercussions.

Please drop the "install this addon" approach as it is quite irrelevant to this whole issue.

[badon]

I mentioned the Perspectives add-on to demonstrate that the problems with HTTPS are fixable, and Perspectives does indeed solve some of them. Look at the way Tor handles encryption. It solves the HTTPS problem, the DNS problem, the NAT hole punching problem, and many more. It has flaws of its own, of course, but my point is that none of the problems with HTTPS are unfixable. There are already solutions to most of them.

Granted, bringing it all together into something that works to solve all of those problems simultaneously might be a bigger problem than merely upgrading HTTPS. For example, if Tor or some derivative became a standard protocol for the internet, that would essentially constitute a redesign or replacement of HTTP and HTTPS, not just an upgrade to them.

[Suki]

And yet, this goes beyond solving https issues...

Many small businesses/personal webpages simply do not have the economical resources to go full https.
Some static HTML pages has absolutely no need to go full https.
Web hosting companies will most likely either ignore this or will have to increase their prices in order to offer support for https, yes, even if they are already using apache's SNI.

There are many, many issues besides https implementation so it really, really is as simply as you might think it is.

[Kindred]

It is, as I have already said, an incredibly stupid decision...

Not everyone can afford or support certs, and most sites don't NEED https. None of my sites do....

[karlbenson]

Given Snowden and what we've learned is that everything which will be part of the 'internet of things' needs encryption at the heart of everything and not an afterthought.

I rarely agree with Firefox on anything, but the sooner the better we move forward towards full encryption without backdoors for governments and big business.

[badon]

I agree completely with karlbenson. In fact, the only reason encryption isn't everywhere already is because the government of the USA has tremendous spying resources, and they have always discouraged encryption at the first opportunity. I'll give you an example of how this influence is used in one publicly known case. The USA invented cellular telephone systems in the 1960's. Little villages in Africa had cell phones by the 1970's and 1980's. Cell phones did not become commonly available to everyone in the USA until the 1990's. Why the delay? Because the FCC of the USA used their regulatory powers to block unused frequency allocation to the telecommunication industry.

The conventional conspiracy theory is that the delay was because it favored the landline telephone companies, which is pretty plausible. However, this isn't the whole story. At the time the USA's spying resources relied on hordes of human listeners in centralized office, using centralized taps on the wired telephone network. Wireless telephones circumvented those taps, and potentially required someone to be physically near the transmitting cellphone to intercept the call. It was more difficult, but not impossible. When the government's spying capability for wireless phone systems improved, the FCC magically granted permission to use bandwidth for telephone calls, and a decade after Africa, they became commonly available to Americans.

But there was a catch...

Although scrambled, digital, and even sophisticated encrypted radio communication technology was available worldwide by the 1980's, the cellular telephone industry was granted bandwidth by the FCC on the condition that they only use specific kinds of modulation - all of them analog, and all of them easily spied upon by anyone with a cheap receiver! At that time, the cutting edge RF spy technology (taken from submarine passive sonar systems) was capable of capturing all transmissions simultaneously on all frequencies, so it was no longer necessary for someone to be physically present at the location of a specifically targeted transmitter. The entire RF spectrum could all be recorded, and then analyzed later, perhaps with improved technology at a much later date.

It is no coincidence that the USA government was angered by the release of publicly available PGP encryption at the same time that spy-friendly cellular telephone systems were being widely adopted in the 1990's. Those contemporaneous events occurred at a time when the USA government was doing everything it could to stop or delay any and all kinds of secure communications. Anyone here who pushes the idea that things should stay the same is simply another disposable soldier in the USA's army, out to free the world from encryption because it's too expensive, too difficult, and nobody anywhere should ever use it ever, never, ever, because only terrorists would do that. It's all about democracy, you see, because if nobody else can read your communications, that's not democratic.

No can do?

[Kindred]

Tin foil hats, anyone?

[hitsme]

That is extremely a dumb move. Even more so for people on shared hosting since SSL requires a dedicated ip....
Honestly not everything needs to be secure. If you are that paranoid about you would secure on your own end.

it is not required to have a unique ip if you have nsi

There is a relatively new technology called Server Name Indication (SNI) that allows SSL certificates to be associated with a virtual host rather than with the server's IP address. Here is a digicert article that explains it very well.

Your host may not have SNI support installed yet. It requires newer versions of both Apache and OpenSSL. Web hosting software such as cPanel may also have to be upgraded before they can allow customers to utilize these features.

SNI also requires client side support. The most recent version of each major browser now supports SNI. However, fairly recent old versions may not. Here is another digicert article about browser support for SNI. Because some browsers don't support SNI, hosting companies may be reluctant to offer it and instead require that you purchase an IP address with better browser support.

[vbgamer45]

Doesn't work for windows servers.

The key issue is SSL takes time to setup correctly and maintenance time each year to swap it out when it expires. You have to remember the dates it expires then reupdate the keys it takes about hour to do per site.

There needs to be a better way right now it would drive me insane to do it for all my domains. It needs to be a one click/automated process. Or better yet the browser should do encryption instead since most people do not setup SSL correctly to begin with and use poor choices of encryption ciphers.   

Also with current SSL flaws they recommend disabling SSL compression that leads to even more bandwidth usage http://resources.infosecinstitute.com/beast-vs-crime-attack/

[Suki]

Thats the whole point, sure for every question raised theres an answer:

- Shared host wont be happy: there is  SNI
- I will have to pay for a CA: there is lets encrypt.

And so on but the reality is that most of this "answers" doesn't really exists yet (Lets encrypt), are pretty new (SNI) or simply doesn't work at all (cloudflare).

It really looks like things were planned upside down, the mozilla guys should have focus on getting "lets encript" ready and functional before announcing http deprecation...  I mean... who announces "I'm going to the prom on an  ferrari f50" without even having the car yet (or any resources to get it)?  seems pretty illogical.


The only way I can think Mozilla doing this is to "beat Chrome" in doing it first, which seems soo freakishly childish I cannot even believe I'm suggesting it but it seems thats the case here.

It looks like this is yet another chapter in the constant and extremely childish battle between Chrome and Mozilla, prematurely call for http deprecation is extremely stupid... and for what?  just to be able to say "I call it first"?

Since the article was published a FAQ pdf is floating around somewhere, it kinda "softens" the article by saying "And any such changes will be made only after consultation with the web community" which seems pretty redundant.

The faq also offers "alternatives" to getting a paid CA and even suggest using Let's Encrypt, which, at this time, isn't released and we have no idea how its going to work either. The other alternatives require a unique IP which, obviously, cost money.


Gotta love how they try to "minimize" the user's responses at the end of the faq, quite amusing.

[Kindred]

yup...   it's an extremely short-sighted and stupid move on their part that will end up losing them market share, guaranteed....  because *I* have no intention of paying for a cert on 7 sites (none of which have anything worth protecting with a cert...  no personal data aside from email)

So...   if they do this -- then my answer to anyone who complains about not being able to get into my sites will be - don't use firefox.

[badon]

Thats the whole point, sure for every question raised theres an answer:

- Shared host wont be happy: there is  SNI
- I will have to pay for a CA: there is lets encrypt.

And so on but the reality is that most of this "answers" doesn't really exists yet (Lets encrypt), are pretty new (SNI) or simply doesn't work at all (cloudflare).

Regarding CloudFlare, we attempted to use them and a few others to handle HTTPS for us, among other things, and I agree, it didn't work out well. So, we went to Incapsula. All of our sites have self-signed certificates, which Incapsula uses in their connections to our sites, and Incapsula delivers their own certificate for our sites that they pay for and maintain. So, the solution you implied involving CloudFlare DOES work in general form, but with Incapsula instead.

Incapsula is expensive, but the techniques they are using could become cheaper and more easily available in the future, especially on shared hosting sites. In other words, complaints about Firefox's plans are completely solved as far as our sites are concerned, just from usage of Incapsula alone.

And, as I mentioned before, if you use Perspectives in Firefox, you wouldn't even need Incapsula. Perspectives can validate an expired HTTPS certificate the same way it can validate any other. All of our certificates are expired, and we haven't bothered to update them because Incapsula "covers" that problem for us, even if our users don't have Perspectives.

Now, with all of that said, I agree that Firefox/Mozilla has done some stupid things in the past. Maybe someday this idea will be added to the list. If some other solution ends up being used instead, like perhaps something more advanced that is similar to Tor as I speculated earlier, then this idea about radicalizing support for HTTPS would go in the garbage heap. The only reason Firefox has my support is because our sites will be unaffected if they screw it up, and because it is forcing people to have conversations like this one.

[hitsme]

I recently added ssl to my site, it's a pain in the neck with smf  you have to change the paths (url's) to HTTPS:// about 10 different settings by Theme, database & paths, smiley's, attachment, avatar, ...

There should be one global setting for the global path.

[Suki]

Incapsula is expensive, but the techniques they are using could become cheaper and more easily available in the future, especially on shared hosting sites. In other words, complaints about Firefox's plans are completely solved as far as our sites are concerned, just from usage of Incapsula alone.

Except for the tiny little detail that your site(s) doesn't  even represent 0.000000000001% of the total websites available across all the almighty interwebz...

You see, you don't having an issue doesn't mean others will not have issues as well...  and it seems that whoever made this decision on Mozilla also has this narrow point of view:  "If it doesn't affect me then it doesn't affect anyone"  thats just plain wrong, narrow-minded and quite narcissists if you ask me.

Sure, those with money and/or knowledge will be just fine but what about the rest?

Besides all the other issues this decision will create there is also another one: this change will inevitable push "technological illiterate people"  towards "easy to use" "one click ready" services such as facebook pages and/or WP blogs, effectively killing the initiative or innovation these people might have, they will no longer be interested on creating their own webpages since it will be too difficult to start building one, people like me who started learning HTML  will simply cease to exists.


Want to move to https? fine by me! I'm not against this but first do try to solve all its issues and whats more importantly, make it easy to understand/deploy  because the alternatives that do exists right now (and those that doesn't even eixts yet!) either requires some important money investment or requires you to have a certain level of server knowledge not every one has.

So please, do try to see this from a different point of view.

[badon]

I don't disagree with anything you said. But, I remain supportive of progress moving forward with this. As I mentioned, our sites are already taken care of, so as far as website owners go, my support for this is not for my own benefit, it is for yours - for everyone who can't afford expensive services like Incapsula. What is good for everyone is good for me too, because I'm a regular internet user like everyone else is.

As you hinted, our usage of Incapsula could be construed as a symptom of an unfortunate trend toward the consolidation of private sites into much bigger systems like Facebook etc. That would be bad, and that's why I mentioned that Tor's way of doing things has merit. It is accessible to everyone, no matter how small, and it has none of the difficulties that HTTPS has.

Furthermore, Tor has the so-far-unrealized potential to solve a lot of problems with NAT traversal because Tor hidden services are able to get through any degree of NAT. That means Tor opens the door not only those with very modest means to afford shared website hosting, it will even work on the lowliest of devices that do not even have their own IP address! Isn't that the coolest thing ever?

There is nothing about internet security that can't be solved in a straightforward manner. This is one reason why I support this decision by Firefox. The other reason why I support this decision by Firefox is not what you would expect: If they screw it up, it will cause such widespread dissatisfaction that regular internet users will be looking for alternatives. What will they choose? I'm guessing something like Tor, Perspectives, etc. In short, if necessity is the mother of invention, then making everyone uncomfortable with the WRONG solution will only serve to encourage somebody somewhere to come up with the RIGHT solution.

So please, do try to see this from a different point of view.

If you want everyone to use dangerous drugs, outlaw them! Playing Devil's Advocate can be done by the well-meaning masses just as surely as it can be done by evil corrupt governments creating artificial black markets and then monopolizing it to fund secret illegal activities. Can you foresee how when Firefox proposes something everyone hates, it could indirectly lead to something much better? It's crystal clear for me.

[Suki]

Again, and I'm sorry to say this to you but you are seeing this from a very narrow angle...

You just naively assume everyone knows what TOR is, you just naively assume the regular internet users will know what "Perspetive" is and how to use it.

There is nothing about internet security that can't be solved in a straightforward manner

Sure but this has nothing to do about solving issues...  take a look ad share hosting companies, right now they offer unique IPs for shared hosting with some extra cash, they have absolutely no issues doing it, their model works great for them and they have absolutely no intentions to switch to something like apache's SNI extension... specially if that requires some (or any) change in their server infrastructure...

So, most hosting companies have no real incentive to follow this "lets go https" campaign...  hosting companies still sees "https" as just another way to make money... its not a priority, its a service they provide and for which they receive an income, they have absolutely no reason to change their current business model.

If you want everyone to use dangerous drugs, outlaw them! Playing Devil's Advocate can be done by the well-meaning masses just as surely as it can be done by evil corrupt governments creating artificial black markets and then monopolizing it to fund secret illegal activities. Can you foresee how when Firefox proposes something everyone hates, it could indirectly lead to something much better? It's crystal clear for me.

Again, I'm not against going https all the way...  if Mozilla wants to encrypt their underwear thats fine by me!  what I'm saying is that this is a pretty premature move, apparently they didn't thought it out pretty well either...

Its all upside down... they started with what should have been the end of a long process.
If you want to move to https then the first thing you need to do is make sure https is sufficiently affordable to become an Industry/Technical standard.

The way I see it, Mozilla pushing forwards https and hosting companies without any incentive to move forward to it, the small but very precious field for shared hosting websites will become narrow and narrow, small websites who cannot afford unique IPs will be segregated until they disappear too.

Can you foresee how when Firefox proposes something everyone hates, it could indirectly lead to something much better?

Assuming things again   the vast majority of users will simply change their browser when they start to see their favorite website no longer works on firefox or whats worse, they will all move to websites that do render correctly on firefox (segregating those websites incapable of moving to https), they don't give a rat ass about TOR or NAT connections...

So no... this move will certainly not ignite any "internet revolution"... internet people are sheep, they aren't interested on TOR, NAT or https, they only care about their facebook wall.

As you hinted, our usage of Incapsula could be construed as a symptom of an unfortunate trend toward the consolidation of private sites into much bigger systems like Facebook etc. That would be bad, and that's why I mentioned that Tor's way of doing things has merit. It is accessible to everyone, no matter how small, and it has none of the difficulties that HTTPS has.

Furthermore, Tor has the so-far-unrealized potential to solve a lot of problems with NAT traversal because Tor hidden services are able to get through any degree of NAT. That means Tor opens the door not only those with very modest means to afford shared website hosting, it will even work on the lowliest of devices that do not even have their own IP address! Isn't that the coolest thing ever?

Thats pretty idealistic on your part...  you again assume TOR as a solution to everything but lets face it... TOR will never become the defacto internet protocol... for whatever reason.... doesn't matter, one thing is to idealize and romanticizes about TOR being the solution to everything  but another thing is to look at the real problem and propose real, feasible alternatives.

So, how about getting more real and propose some real alternatives to this?   how would you incentive hosting companies to embrace https by default on their hosting plans?

[hitsme]

Read this

The chain effect if everyone demands, they supply

Ex: Google mobile friendly like it or not here it is

Although we do not necessarily agree with this new policy, we recognize our users' desire and need to be "compliant", so we have worked out something

it might be a stupid move
and it might change everything to the right side