London Show - why no barrage of announcements from R-Comp/RCI

It’s back up now.

Not with HTTPS it isn’t. So don’t use it for anything with security sensitive info, or just leave it alone until Alan has finished the fix work.
I’m sure he will put in an announcement when he has a moment free.

On the subject of HTTPS, anyone using a browser that isn’t capable of at least TLS 1.2 should start looking for something newer.
Browser manufacturers are pressing to disable TLS 1.0 and 1.1 by default and move toward total removal so people use TLS 1.2 or 1.3¹
This is being matched on the server side with site owners moving up to TLS 1.2 minimum.

The new RO browser(s) can’t come too soon.

¹ Microsoft had targetted July 2020 for the IE disable in default but “because Covid” and that’s temporarily delayed.
MS Edge is already in a TLS 1.2 or higher state.
Mozilla already disable 1.0 and 1.1 by default

I don’t use TLS at all so hopefully my web site should be OK.

I don’t use TLS at all so hopefully my web site should be OK.

Just HTTP on port 80 then?
I think we’ve had the conversation round here about the push to move to a secured presentation with HTTPS everywhere.¹
If they start to tighten the screws on that then HTTP is gone.

¹ Many people don’t see the point.

so hopefully my web site should be OK.

It will be until the near-ish future when browsers jump on the bandwagon and start shouting about how a connection to your site is “insecure”.

Many people don’t see the point.

Count me as one of them. I can see, if you need to log in or something, that not having that go as essentially plain text could be a good idea. However for those sites that are mostly static (such as mine) that just don’t deal with user identifiable data, I don’t see the point.

It is, of course, at this moment in time that somebody points out the ability to man-in-the-middle your communications and change things or watch what you’re up to. The problem is such arguments don’t hold water. Primarily because I am not in a position to MitM Steve Pampling’s access to any random http-only site. That would need to be his service provider and/or his government and/or some bit of kit on his network (everybody shout Huawei!). And if that’s the case, he’s likely got far bigger issues than whether or not he is using SSL.

Secondly, the system is essentially broken from a trust point of view. All that “CertData” rubbish is the backbone of this. You see, we do not trust that NatWest (or any other bank) is NatWest (or any other bank), nor do you trust that heyrick.eu is heyrick.eu. We don’t have server fingerprints to accept or reject like an STTY or SFTP session. Instead, it all happens automatically with a number of “CAs” (certificate authorities) that we’re supposed to “trust” to tell us that NatWest and heyrick are legit. NatWest, being a bank, has a higher level of certification, there’s a good chance that it’ll pop up more details including a registered address.

The thing is, CAs are supposed to be entirely trustworthy and irreproachable, and part of the backbone of how the internet works. You know, like TLD organisations such as, say, Nominet. Oh, wait, about that…….

Oh, okay. Bad example. NatWest just uses a regular Comodo certificate. How cheap. HSBC, at least, does it correctly. As does La Banque Postale and Banco Bilbao Vizcaya Argentaria.

Then again, I guess that makes my point too, if a bank is using the same sort of certificate as my own site…
…to which you don’t completely know that either site is really what they appear to be, you only have other outfits telling you so. And how much can we trust them not to be, shall we say, influenced by government demands and always, indeed, trustworthy? We don’t. We have to trust that we can trust the ones who say they should be trusted. That, in and of itself, is not trust, it’s faith. An entirely different thing. Faith is believing in a loving creator. Faith is believing that Westminster is looking for the best outcome for the citizens of the UK. Faith is believing that Facebook is sorting out its rampant misinformation problem. Faith is NOT being sure that the page in front of you really is your bank. After all, natwest.org and natwest.uk don’t exist, I wonder how much data somebody could get if they registered it, bunged on a Let’s Encrypt certificate, and cloned the real site’s login page? Because it’ll look like the bank, it’ll even have a little padlock, and it won’t be something obvious like “natwest.userhomepages.someisp.net”. Again, trust, not faith.

Anyway, as far as I’m concerned, the real reason for HTTPS is to stop snooping ISPs from knowing people are pirating stuff. But, then, the trail of visible metadata (all those DNS requests) might possibly be an indicator. ;-)

However for those sites that are mostly static (such as mine) that just don’t deal with user identifiable data, I don’t see the point.

Snap.

It will be until the near-ish future when browsers jump on the bandwagon and start shouting about how a connection to your site is “insecure”.

As opposed to the current status where the little padlock symbol is crossed in red as in Firefox and similar in the other modern browsers?
They already started the journey, most of the passengers don’t even realise they are on the bus or that it’s moving. Expecting them to know where it’s going is pretty far-fetched.

That’s the subtle approach, Steve. I was thinking more akin to the big red GET ME OUT OF HERE message that Firefox pops up for certificate errors, only applied to every single plain http request (unless added as an exception).
That day will come… :-/

message that Firefox pops up for certificate errors

The one it throws up when you try connecting to a TLS 1.0 or 1.1 site is nicely full screen (well full browser window) – that still contains a restore TLS 1.0/1.1 button at the moment. Like MS they’ve postponed “because corona” but the blade is raised.

Just HTTP on port 80 then?

No, I use ftp to upload data and http:// to view the site, like everyone else. Don’t use any ports and don’t use TLS. I only use TLAs (three letter acronyms).

Don’t use any ports

Uh, yeah, you do. You just don’t know it.
https://en.wikipedia.org/wiki/Port_(computer_networking)

Perhaps I should have said I don;t use any special ports, just those that are necessary by default.

No, I use ftp to upload data and http:// to view the site

Plain FTP? No security/encryption?

I only use TLAs (three letter acronyms).

Oh, “htp” then :)

Plain FTP?

Sorry I should have said plain !FTPc version 1.54 (20-Feb-2017)

No, I use ftp to upload data and http:// to view the site, like everyone else.

Include me out of your “everyone else”, please.

My web site is https://davehigton.me.uk and I use a recent version of FTPc to upload via secure FTP.

It’s another reminder that we need server functionality in the AcornSSL module for web sites hosted on RISC OS machines.

I use ftp to upload data and http:// to view the site, like everyone else.

Uh, you know twenty years have passed since that was normal?

My site, for example, uses SFTP with a long string of gibberish as the password. I could paste it here, as it won’t do you any good unless you also have half of the encryption key (of which only two copies exist (in WinSCP on each PC)).

I don;t use any special ports, just those that are necessary by default.

These days, port 443 is the current, with 80 being increasingly the “special”.
I wonder how long it will be before browsers, not given an explicit protocol, assume https:// and don’t bother trying port 80?

that we need server functionality in the AcornSSL module for web sites hosted on RISC OS machines.

That would be nice. Especially if there was some way to link it with something like Let’s Encrypt instead of self signed (and all the problems that brings).

Uh, you know twenty years have passed since that was normal?

Be honest, it’s longer than that since RO was ‘normal’

No, I use ftp to upload data and http:// to view the site, like everyone else.

Uh, you know twenty years have passed since that was normal?

It’s still how I do it. I don’t actually know how else to do it…

My web site is https://davehigton.me.uk

No trace of TLS 1.0 or 1.1, one weak cypher (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) in TLS1.2, all fine in TLS1.3
That “weak” in TLS 1.2 has to be taken alongside the fact it’s 1.2 and there’s no deprecated TLS support (TLS 1.0/1.1) at all.

Works with NetSurf (just in case anyone whinges about https use and RO browsers)

Proper job.