RISC OS Open: Forum: HTTPS Only mode

Nov 22, 2020 8:43am

As an extension of a recent topic about HTTPS (or not) the recent release of Firefox has a prominent feature – HTTPS Only mode

Quote:

Firefox attempts to establish fully secure connections to every website, and
Firefox asks for your permission before connecting to a website that doesn’t support secure connections.

So there you have the first signs of a push to kill HTTP. I’m sure Rick will be saying “See, I told you so” etc.
As with all such features this is not a default in this build and you have to manually select the mode.
Without even bothering to dig in their timeline for a future change date you just know this is going to be a default sooner or later and then the “no HTTP” will kick in.

Which reminds me – Flash support, December 2020…

Nov 22, 2020 8:55am

Dave Higton (1515) 3534 posts

So there you have the first signs of a push to kill HTTP.

? It’s a late stage of a movement that has been going for an embarrassingly long time (should have been completed long ago). That’s why I’ve been going on about server capability in AcornSSL.

Nov 22, 2020 11:10am

Steve Pampling (1551) 8172 posts

It’s a late stage of a movement that has been going for an embarrassingly long time

I was putting it up as a real “in your face” stage of the movement toward totally HTTPS.
As it stands enabling the feature throws up a warning screen and a button selection to either continue¹ or cancel. It seems to remember the status. How long before it’s a default?

That’s why I’ve been going on about server capability in AcornSSL.

Didn’t someone recently do something along those lines with HTTPLib ?

¹ I was about to say “Continue” isn’t always successful after testing with two “random” RO sites, but SVRSIG fails through OK, and Plingstore simply fails – even on IE, so I think PlingStore may have a problem again. (Confirmed by http://www.justdownforme.com/)
http://www.svrsig.org/ gives the warning page and then “continue” takes you to the HTTP page.

Nov 22, 2020 6:56pm

Alan Adams (2486) 1149 posts

So how does this affect Webjames?

Nov 22, 2020 7:35pm

Dave Higton (1515) 3534 posts

So how does this affect Webjames?

WebJames can’t do https unless something comes along to give server capability. That’s exactly why I’ve kept mentioning server capability for AcornSSL, as it seems to me to be the easiest way.

Nov 22, 2020 7:38pm

Steve Pampling (1551) 8172 posts

So how does this affect Webjames?

Interesting question. I think that Firefox 83.0 should react to the HTTPS fail by dropping to HTTP when you click “Continue”.
Perhaps someone with a WebJames server could test how Firefox 83 behaves when in HTTPS-only mode.

Later releases will no doubt push toward no HTTP.
As Dave has said a number of times AcornSSL and RO in general need SSL server support.

Nov 22, 2020 9:11pm

Bryan (8467) 468 posts

Perhaps someone with a WebJames server could test how Firefox 83 behaves when in HTTPS-only mode.

I am currently using Firefox 83 on Windows 7 with ~~HTML~~ HTTPS Only Mode set in Tools, Options.

And I get the normal response to the page
http://10.0.128.116:9000/enquiry.html

Of course, this is using a local address. Using a public address will require that I change this PC to use a different outgoing (mobile) router and also allow public access to the WebJames on my FTTC Internet.

EDIT: post corrected on following day

Nov 22, 2020 9:24pm

Bryan (8467) 468 posts

OK I have done the changes and this time using
http://82.xxx.yyy.zzz:9000/enquiry.html
I get the response

HTTPS-Only Mode Alert
Secure Connection Not Available

You’ve enabled HTTPS-Only Mode for enhanced security,
and a HTTPS version of 82.xx.yyy.zzz:9000 is not available.

So, it it seems Firefox 83 only does the check on public addresses. (which could be useful, in my case)

And, of course, changing outgoing Internet connections meant that I had togin here, again, to post this using the same browser on the same computer

Nov 22, 2020 9:53pm

Chris Mahoney (1684) 2165 posts

Didn’t someone recently do something along those lines with HTTPLib ?

I’m afraid not. HTTPLib is a C wrapper around URL/AcornHTTP/AcornSSL that makes them easier to use, but there’s no server functionality in there.

That reminds me… I still need to get around to releasing the latest version!

Nov 22, 2020 11:52pm

Bryan (8467) 468 posts

Interesting question. I think that Firefox 83.0 should react to the HTTPS fail by dropping to HTTP when you click “Continue”.

I should have read the complete Firefox page more completely. Tucked away at the very bottom of the page is an option to continue in HTTP mode for the current website only. I got distracted by the fact that it allowed local websites.

Nov 23, 2020 12:55am

Paolo Fabio Zaino (28) 1882 posts

WebJames can’t do https unless something comes along to give server capability.

Correct, unless you put webJames behind a Web Proxy like NGINX, in which case NGINX can do the HTTPS for you and forward the request in HTTP to WebJames, take the response from webjames and push it back via HTTPS ;)

If, someone is trying to use WebJames for public pages etc… I would strongly recommend to use NGINX in front of it and configure security measures on NGINX.

Nov 23, 2020 8:04am

Steve Pampling (1551) 8172 posts

Tucked away at the very bottom of the page is an option to continue in HTTP mode for the current website only. I got distracted by the fact that it allowed local websites.

Yup, option button/icon with “Continue”.

The local address stuff I will check shortly, on the VPN to work, as there’s a couple of web front ends that I think are still HTTP.

Nov 23, 2020 11:01am

David Feugey (2125) 2709 posts

WebJames can’t do https unless something comes along to give server capability. That’s exactly why I’ve kept mentioning server capability for AcornSSL, as it seems to me to be the easiest way.

An interim solution could be to compile WebJames against some a SSL Library, as done earlier with POPStar.
There is also the problem of certificate renewal (especially with Let’s Encrypt).
I hope that HTTP-Server (from Thomas) or WebJames will be able to do this soon :)

Nov 23, 2020 12:03pm

Steve Pampling (1551) 8172 posts

The local address stuff I will check shortly, on the VPN to work, as there’s a couple of web front ends that I think are still HTTP.

Tested. Same behaviour – click to “Continue” – on 192.168.0.0/16 with /24 subnet blocks.

So, it seems Firefox 83 only does the check on public addresses. (which could be useful, in my case)

I suspect you may have done a “continue” and it remembers that for the rest of the session.
Test: Connect to your internal site and if you don’t get the warning then check the status when you click on the padlock on the URL bar

Nov 23, 2020 12:20pm

Steve Pampling (1551) 8172 posts

There is also the problem of certificate renewal (especially with Let’s Encrypt).

While the certificate for the specific host (or wildcarded to a domain tier) has a lifetime which might be short the chain of trust down through intermediate and root certificates has a longer life. That’s why the certificate updates for the current (ported) SSL module don’t have weekly updates.
The offered host certificate is checked for date validity, checked for validity in the intermediate and the intermediate is checked against the root and revoke lists.

I hope that HTTP-Server (from Thomas) or WebJames will be able to do this soon :)

Given the increased interest in being a pain in the nether that people on Russian IP’s are showing at present¹ I would suggest that a decent firewall/reverse proxy as recommended by Paolo above would be a sensible move.
WebJames is not, and is never likely to be, hardened enough to survive beyond a script-kiddie hack.

¹ Apparently having had successes in hacking and trashing US medical facilities UK NHS facilities are enticing – or so our firewall logs say…

Nov 23, 2020 1:21pm

Bryan (8467) 468 posts

So, it seems Firefox 83 only does the check on public addresses.

(which could be useful, in my case)
I suspect you may have done a “continue” and it remembers that for the rest of the session.
Test: Connect to your internal site and if you don’t get the warning then check the status when you click on the padlock on the URL bar

Sorry. No, I don’t think that is the case for two reasons:-
1. Yesterday, I looked at the local http site first.
2. I have just tried it again – with the Windows 7 computer turned off overnight.

Maybe, it is the 10.×.y.z local address which is allowed
or,
Maybe, it is the non-standard port.

Either way, it connects and the padlock has a red bar through it and says the connection is not secure.

Nov 23, 2020 2:37pm

David Feugey (2125) 2709 posts

WebJames is not, and is never likely to be, hardened enough to survive beyond a script-kiddie hack.

WebJames will survive much longer than RISC OS :)
I remember that my server was dying twice a day: when the Google robots came, and when the China robots came.

Anyway, this is not for Internet, but to deploy webapps on Intranets.
Even here, people (and web browsers) ask for HTTPS now.

Nov 23, 2020 6:02pm

Steve Pampling (1551) 8172 posts

Maybe, it is the non-standard port.

That’s probably it. Their code probably assumes port 80 for HTTP

Nov 24, 2020 5:52pm

Bryan (8467) 468 posts

Nope. Thats not it. Just tried it again. It definately connects to Webjames on a 10.0.×.y local address on a range of ports including 80, 9000 and others.

The Firefox HTTPS Only Mode check is not effective on 10.0.×.y addresses. Not tried other ‘local addresses’ as I don’t have any.

I also checked using the clever NAT loopback facility on my DrayTek 2860 FTTC router. Firefox rejects the 82.×.y.z public Internet address even though the Internet address connection never actually leaves my local area network.

Nov 24, 2020 7:26pm

Steve Pampling (1551) 8172 posts

The Firefox HTTPS Only Mode check is not effective on 10.0.×.y addresses.

Sounds like a bug to me.

Not tried other ‘local addresses’ as I don’t have any.

I’ve got devices in 192.168.0.0/16, 172.16-31.0.0 and if I go through the firewall to the exterior on 10.0.0.0 to play with (if I have time¹ with all the catchup work) but I’m pretty sure none of the 10.0.0.0/8 are HTTP

¹ Weird or what? Back in 2012 my then colleague departed and for 5-6 months there was only me. We get to 2020, I go off sick for 5 months and the team which was 4 strong(minus me=3) when I went off is 6 strong now. The wife always wanted to know how many people it would take to replace me and says it’s obviously more than two…

Nov 24, 2020 8:12pm

Bryan (8467) 468 posts

Sounds like a bug to me.

Maybe, my 255.255.0.0 Netmask is upsetting it. (although I am not complaining)

I use 255.255.0.0 because I used to have VPNs to two other sites which used 10.1.0.0 and 10.2.0.0

Nov 24, 2020 8:31pm

Steve Pampling (1551) 8172 posts

I use 255.255.0.0 because I used to have VPNs to two other sites which used 10.1.0.0 and 10.2.0.0

That’s what routers are for – linking between subnets.
Or if you have no router in line then NAT on the VPN termination point.

Nov 25, 2020 12:52pm

Bryan (8467) 468 posts

That’s what routers are for – linking between subnets.

I also use my FTTC DrayTek 2860 to do the following:-
– NAT Open Ports – to route incoming TCP/IP to the correct server,
– Static Route – to route Google outgoing HTTP/HTTPS out via EE Mobile

I also used to have a second ADSL service (on a DrayTec modem) and the 2860 would happily route incoming and outgoing data for that.

Nov 27, 2020 4:34pm

Bryan (8467) 468 posts

If, someone is trying to use WebJames for public pages etc… I would strongly recommend to use NGINX in front of it and configure security measures on NGINX.

Why? As Rick said some time ago regarding any attempt to hack a WebJames server. “Good Luck with that”

And then, why worry? If the RISC OS system only has the public web pages on it, then any hacker succeeding in hacking WebJames is going to be mightily disappointed when all that is found is the web pages which were visible anyway.

Nov 27, 2020 6:27pm

Paolo Fabio Zaino (28) 1882 posts

Why? As Rick said some time ago regarding any attempt to hack a WebJames server. “Good Luck with that”

Why? here is why:

NGINX can handle HTTPS requests for webjames and act as a proxy. This requires no changes on WebJames whatsoever.
WebJames CAN be hacked, if nothing a DoS can be attempted OR a buffer or heap overflow by sending huge POSTs (I haven’t tested this in a long time, so it may have been fixed now), Also at some point WebJames supported PHP and I think also BBC BASIC via CGI
NGINX could cache WebJames static content to improve WebJames performance
NGINX can be patched to use modsecurity plugins that allows you to fine tune your security by also analysing portions of the request/response body via a very simple rule-based language (for example let’s say you create an app site were people can upload their ZIPs etc…

But anyway, as always just my 0.5c, if people want to put webjames exposed directly it’s their choice :)

HTTPS Only mode

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Nov 22, 2020 8:43am Steve Pampling (1551) 8172 posts	As an extension of a recent topic about HTTPS (or not) the recent release of Firefox has a prominent feature – HTTPS Only mode Quote: Firefox attempts to establish fully secure connections to every website, and Firefox asks for your permission before connecting to a website that doesn’t support secure connections. So there you have the first signs of a push to kill HTTP. I’m sure Rick will be saying “See, I told you so” etc. As with all such features this is not a default in this build and you have to manually select the mode. Without even bothering to dig in their timeline for a future change date you just know this is going to be a default sooner or later and then the “no HTTP” will kick in. Which reminds me – Flash support, December 2020…

Nov 22, 2020 8:55am Dave Higton (1515) 3534 posts	So there you have the first signs of a push to kill HTTP. ? It’s a late stage of a movement that has been going for an embarrassingly long time (should have been completed long ago). That’s why I’ve been going on about server capability in AcornSSL.

Nov 22, 2020 11:10am Steve Pampling (1551) 8172 posts	It’s a late stage of a movement that has been going for an embarrassingly long time I was putting it up as a real “in your face” stage of the movement toward totally HTTPS. As it stands enabling the feature throws up a warning screen and a button selection to either continue¹ or cancel. It seems to remember the status. How long before it’s a default? That’s why I’ve been going on about server capability in AcornSSL. Didn’t someone recently do something along those lines with HTTPLib ? ¹ I was about to say “Continue” isn’t always successful after testing with two “random” RO sites, but SVRSIG fails through OK, and Plingstore simply fails – even on IE, so I think PlingStore may have a problem again. (Confirmed by http://www.justdownforme.com/) http://www.svrsig.org/ gives the warning page and then “continue” takes you to the HTTP page.

Nov 22, 2020 6:56pm Alan Adams (2486) 1149 posts	So how does this affect Webjames?

Nov 22, 2020 7:35pm Dave Higton (1515) 3534 posts	So how does this affect Webjames? WebJames can’t do https unless something comes along to give server capability. That’s exactly why I’ve kept mentioning server capability for AcornSSL, as it seems to me to be the easiest way.

Nov 22, 2020 7:38pm Steve Pampling (1551) 8172 posts	So how does this affect Webjames? Interesting question. I think that Firefox 83.0 should react to the HTTPS fail by dropping to HTTP when you click “Continue”. Perhaps someone with a WebJames server could test how Firefox 83 behaves when in HTTPS-only mode. Later releases will no doubt push toward no HTTP. As Dave has said a number of times AcornSSL and RO in general need SSL server support.

Nov 22, 2020 9:11pm Bryan (8467) 468 posts	Perhaps someone with a WebJames server could test how Firefox 83 behaves when in HTTPS-only mode. I am currently using Firefox 83 on Windows 7 with ~~HTML~~ HTTPS Only Mode set in Tools, Options. And I get the normal response to the page http://10.0.128.116:9000/enquiry.html Of course, this is using a local address. Using a public address will require that I change this PC to use a different outgoing (mobile) router and also allow public access to the WebJames on my FTTC Internet. EDIT: post corrected on following day

Nov 22, 2020 9:24pm Bryan (8467) 468 posts	OK I have done the changes and this time using http://82.xxx.yyy.zzz:9000/enquiry.html I get the response HTTPS-Only Mode Alert Secure Connection Not Available You’ve enabled HTTPS-Only Mode for enhanced security, and a HTTPS version of 82.xx.yyy.zzz:9000 is not available. So, it it seems Firefox 83 only does the check on public addresses. (which could be useful, in my case) And, of course, changing outgoing Internet connections meant that I had togin here, again, to post this using the same browser on the same computer

Nov 22, 2020 9:53pm Chris Mahoney (1684) 2165 posts	Didn’t someone recently do something along those lines with HTTPLib ? I’m afraid not. HTTPLib is a C wrapper around URL/AcornHTTP/AcornSSL that makes them easier to use, but there’s no server functionality in there. That reminds me… I still need to get around to releasing the latest version!

Nov 22, 2020 11:52pm Bryan (8467) 468 posts	Interesting question. I think that Firefox 83.0 should react to the HTTPS fail by dropping to HTTP when you click “Continue”. I should have read the complete Firefox page more completely. Tucked away at the very bottom of the page is an option to continue in HTTP mode for the current website only. I got distracted by the fact that it allowed local websites.

Nov 23, 2020 12:55am Paolo Fabio Zaino (28) 1882 posts	WebJames can’t do https unless something comes along to give server capability. Correct, unless you put webJames behind a Web Proxy like NGINX, in which case NGINX can do the HTTPS for you and forward the request in HTTP to WebJames, take the response from webjames and push it back via HTTPS ;) If, someone is trying to use WebJames for public pages etc… I would strongly recommend to use NGINX in front of it and configure security measures on NGINX.

Nov 23, 2020 8:04am Steve Pampling (1551) 8172 posts	Tucked away at the very bottom of the page is an option to continue in HTTP mode for the current website only. I got distracted by the fact that it allowed local websites. Yup, option button/icon with “Continue”. The local address stuff I will check shortly, on the VPN to work, as there’s a couple of web front ends that I think are still HTTP.

Nov 23, 2020 11:01am David Feugey (2125) 2709 posts	WebJames can’t do https unless something comes along to give server capability. That’s exactly why I’ve kept mentioning server capability for AcornSSL, as it seems to me to be the easiest way. An interim solution could be to compile WebJames against some a SSL Library, as done earlier with POPStar. There is also the problem of certificate renewal (especially with Let’s Encrypt). I hope that HTTP-Server (from Thomas) or WebJames will be able to do this soon :)

Nov 23, 2020 12:03pm Steve Pampling (1551) 8172 posts	The local address stuff I will check shortly, on the VPN to work, as there’s a couple of web front ends that I think are still HTTP. Tested. Same behaviour – click to “Continue” – on 192.168.0.0/16 with /24 subnet blocks. So, it seems Firefox 83 only does the check on public addresses. (which could be useful, in my case) I suspect you may have done a “continue” and it remembers that for the rest of the session. Test: Connect to your internal site and if you don’t get the warning then check the status when you click on the padlock on the URL bar

Nov 23, 2020 12:20pm Steve Pampling (1551) 8172 posts	There is also the problem of certificate renewal (especially with Let’s Encrypt). While the certificate for the specific host (or wildcarded to a domain tier) has a lifetime which might be short the chain of trust down through intermediate and root certificates has a longer life. That’s why the certificate updates for the current (ported) SSL module don’t have weekly updates. The offered host certificate is checked for date validity, checked for validity in the intermediate and the intermediate is checked against the root and revoke lists. I hope that HTTP-Server (from Thomas) or WebJames will be able to do this soon :) Given the increased interest in being a pain in the nether that people on Russian IP’s are showing at present¹ I would suggest that a decent firewall/reverse proxy as recommended by Paolo above would be a sensible move. WebJames is not, and is never likely to be, hardened enough to survive beyond a script-kiddie hack. ¹ Apparently having had successes in hacking and trashing US medical facilities UK NHS facilities are enticing – or so our firewall logs say…

Nov 23, 2020 1:21pm Bryan (8467) 468 posts	So, it seems Firefox 83 only does the check on public addresses. (which could be useful, in my case) I suspect you may have done a “continue” and it remembers that for the rest of the session. Test: Connect to your internal site and if you don’t get the warning then check the status when you click on the padlock on the URL bar Sorry. No, I don’t think that is the case for two reasons:- 1. Yesterday, I looked at the local http site first. 2. I have just tried it again – with the Windows 7 computer turned off overnight. Maybe, it is the 10.×.y.z local address which is allowed or, Maybe, it is the non-standard port. Either way, it connects and the padlock has a red bar through it and says the connection is not secure.

Nov 23, 2020 2:37pm David Feugey (2125) 2709 posts	WebJames is not, and is never likely to be, hardened enough to survive beyond a script-kiddie hack. WebJames will survive much longer than RISC OS :) I remember that my server was dying twice a day: when the Google robots came, and when the China robots came. Anyway, this is not for Internet, but to deploy webapps on Intranets. Even here, people (and web browsers) ask for HTTPS now.

Nov 23, 2020 6:02pm Steve Pampling (1551) 8172 posts	Maybe, it is the non-standard port. That’s probably it. Their code probably assumes port 80 for HTTP

Nov 24, 2020 5:52pm Bryan (8467) 468 posts	Nope. Thats not it. Just tried it again. It definately connects to Webjames on a 10.0.×.y local address on a range of ports including 80, 9000 and others. The Firefox HTTPS Only Mode check is not effective on 10.0.×.y addresses. Not tried other ‘local addresses’ as I don’t have any. I also checked using the clever NAT loopback facility on my DrayTek 2860 FTTC router. Firefox rejects the 82.×.y.z public Internet address even though the Internet address connection never actually leaves my local area network.

Nov 24, 2020 7:26pm Steve Pampling (1551) 8172 posts	The Firefox HTTPS Only Mode check is not effective on 10.0.×.y addresses. Sounds like a bug to me. Not tried other ‘local addresses’ as I don’t have any. I’ve got devices in 192.168.0.0/16, 172.16-31.0.0 and if I go through the firewall to the exterior on 10.0.0.0 to play with (if I have time¹ with all the catchup work) but I’m pretty sure none of the 10.0.0.0/8 are HTTP ¹ Weird or what? Back in 2012 my then colleague departed and for 5-6 months there was only me. We get to 2020, I go off sick for 5 months and the team which was 4 strong(minus me=3) when I went off is 6 strong now. The wife always wanted to know how many people it would take to replace me and says it’s obviously more than two…

Nov 24, 2020 8:12pm Bryan (8467) 468 posts	Sounds like a bug to me. Maybe, my 255.255.0.0 Netmask is upsetting it. (although I am not complaining) I use 255.255.0.0 because I used to have VPNs to two other sites which used 10.1.0.0 and 10.2.0.0

Nov 24, 2020 8:31pm Steve Pampling (1551) 8172 posts	I use 255.255.0.0 because I used to have VPNs to two other sites which used 10.1.0.0 and 10.2.0.0 That’s what routers are for – linking between subnets. Or if you have no router in line then NAT on the VPN termination point.

Nov 25, 2020 12:52pm Bryan (8467) 468 posts	That’s what routers are for – linking between subnets. I also use my FTTC DrayTek 2860 to do the following:- – NAT Open Ports – to route incoming TCP/IP to the correct server, – Static Route – to route Google outgoing HTTP/HTTPS out via EE Mobile I also used to have a second ADSL service (on a DrayTec modem) and the 2860 would happily route incoming and outgoing data for that.

Nov 27, 2020 4:34pm Bryan (8467) 468 posts	If, someone is trying to use WebJames for public pages etc… I would strongly recommend to use NGINX in front of it and configure security measures on NGINX. Why? As Rick said some time ago regarding any attempt to hack a WebJames server. “Good Luck with that” And then, why worry? If the RISC OS system only has the public web pages on it, then any hacker succeeding in hacking WebJames is going to be mightily disappointed when all that is found is the web pages which were visible anyway.

Nov 27, 2020 6:27pm Paolo Fabio Zaino (28) 1882 posts	Why? As Rick said some time ago regarding any attempt to hack a WebJames server. “Good Luck with that” Why? here is why: NGINX can handle HTTPS requests for webjames and act as a proxy. This requires no changes on WebJames whatsoever. WebJames CAN be hacked, if nothing a DoS can be attempted OR a buffer or heap overflow by sending huge POSTs (I haven’t tested this in a long time, so it may have been fixed now), Also at some point WebJames supported PHP and I think also BBC BASIC via CGI NGINX could cache WebJames static content to improve WebJames performance NGINX can be patched to use modsecurity plugins that allows you to fine tune your security by also analysing portions of the request/response body via a very simple rule-based language (for example let’s say you create an app site were people can upload their ZIPs etc… But anyway, as always just my 0.5c, if people want to put webjames exposed directly it’s their choice :)