London Show - why no barrage of announcements from R-Comp/RCI
Pages: 1 2
Frederick Bambrough (1372) 837 posts |
It’s back up now. |
Steve Pampling (1551) 8170 posts |
Not with HTTPS it isn’t. So don’t use it for anything with security sensitive info, or just leave it alone until Alan has finished the fix work. On the subject of HTTPS, anyone using a browser that isn’t capable of at least TLS 1.2 should start looking for something newer. The new RO browser(s) can’t come too soon. 1 Microsoft had targetted July 2020 for the IE disable in default but “because Covid” and that’s temporarily delayed. |
Chris Hall (132) 3554 posts |
I don’t use TLS at all so hopefully my web site should be OK. |
Steve Pampling (1551) 8170 posts |
Just HTTP on port 80 then? 1 Many people don’t see the point. |
Rick Murray (539) 13840 posts |
It will be until the near-ish future when browsers jump on the bandwagon and start shouting about how a connection to your site is “insecure”.
Count me as one of them. I can see, if you need to log in or something, that not having that go as essentially plain text could be a good idea. However for those sites that are mostly static (such as mine) that just don’t deal with user identifiable data, I don’t see the point. It is, of course, at this moment in time that somebody points out the ability to man-in-the-middle your communications and change things or watch what you’re up to. The problem is such arguments don’t hold water. Primarily because I am not in a position to MitM Steve Pampling’s access to any random http-only site. That would need to be his service provider and/or his government and/or some bit of kit on his network (everybody shout Huawei!). And if that’s the case, he’s likely got far bigger issues than whether or not he is using SSL. Secondly, the system is essentially broken from a trust point of view. All that “CertData” rubbish is the backbone of this. You see, we do not trust that NatWest (or any other bank) is NatWest (or any other bank), nor do you trust that heyrick.eu is heyrick.eu. We don’t have server fingerprints to accept or reject like an STTY or SFTP session. Instead, it all happens automatically with a number of “CAs” (certificate authorities) that we’re supposed to “trust” to tell us that NatWest and heyrick are legit. NatWest, being a bank, has a higher level of certification, there’s a good chance that it’ll pop up more details including a registered address. The thing is, CAs are supposed to be entirely trustworthy and irreproachable, and part of the backbone of how the internet works. You know, like TLD organisations such as, say, Nominet. Oh, wait, about that……. Oh, okay. Bad example. NatWest just uses a regular Comodo certificate. How cheap. HSBC, at least, does it correctly. As does La Banque Postale and Banco Bilbao Vizcaya Argentaria. Then again, I guess that makes my point too, if a bank is using the same sort of certificate as my own site… Anyway, as far as I’m concerned, the real reason for HTTPS is to stop snooping ISPs from knowing people are pirating stuff. But, then, the trail of visible metadata (all those DNS requests) might possibly be an indicator. ;-) |
Clive Semmens (2335) 3276 posts |
Snap. |
Steve Pampling (1551) 8170 posts |
As opposed to the current status where the little padlock symbol is crossed in red as in Firefox and similar in the other modern browsers? |
Rick Murray (539) 13840 posts |
That’s the subtle approach, Steve. I was thinking more akin to the big red GET ME OUT OF HERE message that Firefox pops up for certificate errors, only applied to every single plain http request (unless added as an exception). |
Steve Pampling (1551) 8170 posts |
The one it throws up when you try connecting to a TLS 1.0 or 1.1 site is nicely full screen (well full browser window) – that still contains a restore TLS 1.0/1.1 button at the moment. Like MS they’ve postponed “because corona” but the blade is raised. |
Chris Hall (132) 3554 posts |
Just HTTP on port 80 then? No, I use ftp to upload data and http:// to view the site, like everyone else. Don’t use any ports and don’t use TLS. I only use TLAs (three letter acronyms). |
Rick Murray (539) 13840 posts |
Uh, yeah, you do. You just don’t know it. |
Chris Hall (132) 3554 posts |
Perhaps I should have said I don;t use any special ports, just those that are necessary by default. |
Steve Pampling (1551) 8170 posts |
Plain FTP? No security/encryption?
Oh, “htp” then :) |
Chris Hall (132) 3554 posts |
Plain FTP? Sorry I should have said plain !FTPc version 1.54 (20-Feb-2017) |
Dave Higton (1515) 3526 posts |
Include me out of your “everyone else”, please. My web site is https://davehigton.me.uk and I use a recent version of FTPc to upload via secure FTP. It’s another reminder that we need server functionality in the AcornSSL module for web sites hosted on RISC OS machines. |
Rick Murray (539) 13840 posts |
Uh, you know twenty years have passed since that was normal? My site, for example, uses SFTP with a long string of gibberish as the password. I could paste it here, as it won’t do you any good unless you also have half of the encryption key (of which only two copies exist (in WinSCP on each PC)).
These days, port 443 is the current, with 80 being increasingly the “special”. |
Rick Murray (539) 13840 posts |
That would be nice. Especially if there was some way to link it with something like Let’s Encrypt instead of self signed (and all the problems that brings). |
Steve Pampling (1551) 8170 posts |
Be honest, it’s longer than that since RO was ‘normal’ |
Clive Semmens (2335) 3276 posts |
It’s still how I do it. I don’t actually know how else to do it… |
Steve Pampling (1551) 8170 posts |
No trace of TLS 1.0 or 1.1, one weak cypher (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) in TLS1.2, all fine in TLS1.3 Works with NetSurf (just in case anyone whinges about https use and RO browsers) Proper job. |
Pages: 1 2