AcornSSL server functionality
Dave Higton (1515) 3534 posts |
This need is more pressing as time goes by. It’s possible to make Google voice apps, but they need an https URL to connect to. http is not an option. In general http is rapidly being deprecated. (I thought there was a topic about this already, but I haven’t been able to find it.) |
Jon Abbott (1421) 2651 posts |
HTTP was officially deprecated by many browsers after W3C announced their intention to push all sites across to HTTPS. Mozilla for example announced back in 2015 and Google back in 2014. As far as I know there’s no kill date though…which is unfortunate as there’s no real motivation to force HTTPS adoption beyond nag boxes and some broken API’s. |
Rick Murray (539) 13850 posts |
Probably because there are some serious issues with https adoption with respect to public hotspots. See this for an example: https://heyrick.eu/blog/index.php?diary=20160928 I can add, since then, several McDonald’s. My local, when I last used the WiFi (a few years ago), still allowed https but no longer permitted the use of VPN. |
David J. Ruck (33) 1636 posts |
Many hotspots only allow HTTP and HTTPS via port blocking everything else, often they don’t check what traffic is on those ports, so I’ve got a SSH server set up on port 443 for such circumstances. But I’m pretty sure they won’t kill off HTTP completely, who wants to be messing around with certificates for internal servers. |
Rick Murray (539) 13850 posts |
The blog page I linked to shows hotspots pushing their own certificates so they can intercept and check (in some automated manner) the traffic passing on the “secure” connection, thus utterly defeating the purpose of having encryption in the first place.
Not until WebJames supports https. ;-)
Too many people for my liking. I have two printers that have WiFi management capabilities. The user stuff is a regular HTTP connection, the management stuff switches you to HTTPS (even for cleaning the heads, FFS). I’ve had to tell Firefox to add an exception for those devices (by IP address) because it’s an internal self-signed certificate. |
Steve Pampling (1551) 8172 posts |
Deliberate MTM, often used by older proxy server/firewall/AV setups. Relies on the client accepting the bogus certificate instead of the one from the real site/server.
Well logic would say “so the delivered data to the printer couldn’t be ‘stolen’/replicated elsewhere” but:
and
Most of those devices allow you to import a certificate, of course then you’re in the ‘is the certificate chain trusted’ realm unless you get one from a trusted ‘certificate authority’
There’s a few like that installed as part of setups done by the Medical Electronics dept. Since the management settings were default (no password etc) they changed to be passworded and the Wi-Fi turned off so the only access is via wired connection. 0:-) |
Paolo Fabio Zaino (28) 1882 posts |
Yup, HTTP is going to be around still for a while. However its use will probably move toward specific cases or left hanging for people who really do not care. While for the general user and the so called Home Desktop User it’s pretty much dead at this point also because common Internet browsers are all complaining about http these days “Not Secure”, and in the other hand https became accessible to everyone thanks to let’s encrypt free certificates etc. For the public hotspot you can run a VPN using port 80 as well, so not a big deal. Many caffe etc. do not have equipment like Blue Coat or proxy configuration unless they opt for full managed WiFi services (Hot Spots) which instead uses proxies, but also there it’s still possible to encrypt your traffic if you really want to. However, to stay on topic, I totally agree with Dave H. post, so +1 for me. |
Paolo Fabio Zaino (28) 1882 posts |
@ Rick
Yes, nowadays the new gold is user-data, so there are quite a lot of investments being made to sniff and extract user data is all possible ways, even the Javascripts in a web page are used for such a reason and social media trying to track people (also the ones without a social media profile) over the internet using cross-scripting and they like buttons which, btw if you do not have on your website people do not share your content etc. So the reality is simple do not use hotspot, go to “Jorge’s Caffe” instead of BigCorp place, make sure they have a regular WiFi, use your own VPN and configure it so that it doesn’t leaks information, use HTTPS and browse only sites you trust. Oh and btw also your antivirus aka Internet Security Suite is actually sniffing your data while saying they protect you… Sorry for the dystopian comment… |
Dave Higton (1515) 3534 posts |
One reason I want https server functionality is to have enhanced security (as against a standard server). I currently have a non-standard http server at home for my home automation stuff. The http command has to have exactly the right password built into it, or my server doesn’t respond at all and simply closes the socket. There are no error responses, which would give hackers a clue that it is an http service and that they can just keep trying. My way, they have no clue what they’re dealing with or how to get into it. The password is long and it’s not a word. At all. I want the same with https. Negotiating the certificate is one thing, and it simply has to be done, but I don’t want to give out any other clues to hackers. I get several hacking attempts a week on average. All fruitless. |
Paolo Fabio Zaino (28) 1882 posts |
@ Steve
For a site that supports HSTS yes, but unfortunately not all do still, but beside the HSTS, hot spots sniff IPs and DNS queries you make, some runs telemetric traffic analysis to detect chats vs audio streaming vs regular web browsing. Others even try to do port scanning sometimes (which btw is also done by some website and service we use). And that is not all, what about the services hosting websites and files to download? There have been scandals in the past also for website like sourceforge accused of deliberately modifying software that was being downloaded by user from open source projects hosted there. So what can happens on file stored on ISP you do not control? For 3rd parties VPN, many have been found leaking data, analysing customer’s traffic etc. Ok so let’s avoid computers and laptop and let’s use smart phones? Nah, smart phone tracks a user to the impossible, google has been found measuring user position (geographical coordinates being sent back to google) on Android every 4 minutes and again sniffing the impossible. Apple keep saying privacy is a value for them, but then at every WDC etc. they never miss telling everyone how many pictures have been taken last year with an iphone etc. On top of all that we obviously have malware and we are now facing next gen attacks that will also use AI. So yes it’s a mess, but the only way to really stay safe, unfortunately, is to avoid technology at any costs and/or use a lovely Archimedes and do not get on the internet ever ;) Again sorry for the even more dystopian comment |
Rick Murray (539) 13850 posts |
Several a week ? That’s little league. Several a day is more like it, and from time to time several dozen in the space of a few minutes.
Oh, you’re probably overthinking this. ;-) I might worry about giving clues to hackers if a believed that there was a person involved. But the regularity of what happens indicates quite clearly that it is just an automated script flinging crap at IP addresses to see what sticks. A lot from China, from Israel, from Russia… Also some other places. My own server drops connections by blocking those entire countries. I’d add that to WebJames if I could ever get the DDE version to build. So dropping connections is useful to give them the shove. But if you don’t, you’ll just be sending back 404s for phpmyadmin (in a bunch of different case styles), then some other common stuff for mysql, and so on. If you’re lucky, there might be an IIS hack too, but I’m seeing a lot less of those.
Not at all. It’s sadly true.
Oh, these days 4G is pretty commonplace around here 1, so I don’t worry with hotspots any more.
In short, privacy is dead if you use software you didn’t write on modern machines. Now, the thing is there’s too much information for anybody to hope to make sense of, so it’s likely to be used for aggregate trends in reporting how people watch stuff. Perhaps this has already influenced the little pop-ups for skipping titles and credits (because few people bother with those, especially when watching episodes of a series back to back). The problem is when this information is being used to make profiles, but the person involved is out of the loop and the profile is generated by randomly harvested data and AI. Which means it is likely horribly wrong and so lacking in intelligence that if you buy a shaver, you’ll get spammed for a bunch of adverts trying to tempt you to buy a shaver, when in reality unless you hate your new shaver, that’ll be something you don’t need. Back to Netflix. I’m currently on and off watching The Worst Witch because if it’s late and I’m tired, it’s a way to pass a half hour before bedtime with nothing too deep or likely to keep me awake thinking about it. I wonder what their suggestion algorithm will make of that? 1 Home ADSL, 4.7km line, about 3.7 megabit. Walk into the right spot of a muddy field, face west, about 42 megabit! |
Paolo Fabio Zaino (28) 1882 posts |
@ Rick
Oh yeah totally, but if you look at the “big picture” you’ll see that at a global scale it actually works, otherwise there won’t be so many people investing on it… I mean NVidia buying ARM for 40B mostly for AI clearly shows there is a lot of demand for it and it’s not just that, investment in high memory bandwidth like HBM2 (and next 3) and XGDD6 etc… are also pushed a lot by AI and big data. So yes you are correct many profiles are totally wrong, but the sales increase in the global picture works, so no it’s not about “john” or “Mario” it’s about figuring out what a certain area wants in general at a certain moment of the year. Yes in the future they also want to improve the single-person targeting, but that will take some time still. What really worries me is instead the social divisions and the social stress that have emerged from the so called “social media” revolution. Tremendous increase in teenager suicides, increased anxiety, social divisions due fake news that also caused crazy situations in different countries.
Be careful with “where” it comes from, if you track it with free stuff the country name comes from a DB that may or may not be accurate and up-to-date and even if it is that’s just the IP of the last node from where you’ve received traffic. But that node may be the last node of a proxy chain OR just a host of a botnet (in both cases they have no idea they attacked you).
You can actually add that to your router, look for OpenWRT router firmware to replace your router firmware or just add your old router in-front of the IAP router (which btw also analyse your traffic) and flash it with OpenWRT, then install OpenWRT plugins to block traffic by country and make sure you use a good and up-to-date DB and update it every day. So you can port forwarding only what you want to your WebJames. Also another cool trick if you like to play with Linux is to put an RPi 3 or 4 in front of your webserver installing linux on it and NGINX webserver, add the NGINX patch for modsecurity so you can create very fine grane rules for NGINX and then configure NGINX to proxy to webjames on a RISC OS RPi running webjames this way you: If you really want to go ISP lol you can do even more running an RPi cluster with the first node running Linux for security and NGINX to load balance requests across the other RPi on your cluster and all the other RPis runs RISC OS with WebJames protected and can serve many many users and still consume less than an Intel based server ;) |
Steve Pampling (1551) 8172 posts |
That stuff is broken by HSTS That was more a comment from me about the effect of HSTS when the organisational proxy is doing that MTM to check for malware etc1 – inspected traffic breaks and the user complains, uninspected traffic could carry malware so it becomes time to spend on new kit that does inspection in a way that doesn’t break the user connection. When you consider that the porn and malware sites are usually the first to adopt the new security standards you wonder who this is supposed to benefit. All this and dealing with supplier web sites with broken certificates2 (expired, self certified, wrong domain…) 1 I do IT support. It’s my job to try and protect users from themselves while letting them access every thing legal. 2 I’ve mentioned a few previously, naming names due to the unlimited stupidity. The actual list I have is over 1000 lines. |
Steve Pampling (1551) 8172 posts |
66% increase I gather. Big percentage increase of a smallish figure to another smallish figure. 1976-1979 (my Uni years) with a student population of around 4-5k and I can specifically recall two jumps and an electrocution all in one term. That was average. |
David Feugey (2125) 2709 posts |
The same here. All my professional software could work under WebJames (it’s simple C or Basic). This is one of the ‘little’ things that could have a big impact on RISC OS. Of course, it’s not so easy to do. HTTPS is one thing. The management of Let’s Encrypt certificates (creation, renewal) is a different story. |
Chris Gransden (337) 1207 posts |
I’ve done a quick port of the Twisted python module. Currently python 2.7.
It transfers data much quicker than WebJames. |
Chris Gransden (337) 1207 posts |
Just to prove that it works. I’ve put a mirror of riscosports.co.uk without any downloads at https://riscosports.asuscomm.com. The dynamic DNS and Let’s Encrypt certificates are managed by the router. |
Rick Murray (539) 13850 posts |
Well, that counts me out then. The Livebox supports No-IP but has no facilities for certificates. I’m stuck with the Livebox as it also provides the landline, and generic routers (of the sort you can play around with OpenWRT) don’t support the slightly peculiar implementation of SIP that Orange uses. In fact, many of them don’t do telephony at all. |
Rick Murray (539) 13850 posts |
Hmm… Followed by… :-) |
Dave Higton (1515) 3534 posts |
@Rick: Works for me, using NetSurf or using Firefox on Ubuntu. @Chris: I take it that asuscomm.com is a dynamic DNS domain, and you have an entry for riscosports.asuscomm.com that points to your server? What are you using as the server? If this is AcornSSL server functionality, I’m most impressed! Then we need to know what other steps are needed to get this into a working and releasable version of AcornSSL. Presumably one step is to agree an extended API. |
Dave Higton (1515) 3534 posts |
Unfortunately, although my router supports dynamic DNS, it doesn’t appear to have any support for certificates. I guess this means having to set up an ACME client on my Linux box. What model is your router? |
Chris Gransden (337) 1207 posts |
It’s an ASUS RT-AX56U Wi-Fi 6 AX1800. The manual is here. |
Chris Gransden (337) 1207 posts |
It doesn’t use AcornSSL. It all runs using Python 2.7 and the Twisted python module. SSL is handled by the OpenSSL library.
The certificate chain is not being loaded by the Twisted python module. Firefox and Chrome seem to be able to cope with it and find the certificate chain. |
Dave Higton (1515) 3534 posts |
Interesting. My son gave me an RT-AC68U a while ago. I got into a pickle when I was trying to set up a bridge with it, but ended up with a circular route on the LAN (yes, everything did grind to a halt, and took a while to recover even when I powered the Asus down). After that I put it away and haven’t touched it since. But I see that model supports certificates and renewal too. |
David Feugey (2125) 2709 posts |
Funny :) |