OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
Undeadly and HTTPS
Contributed by tj on Mon Apr 11 20:11:43 2016 (GMT)
from the crowdsourcing dept.

We here at Undeadly are looking to move the site to HTTPS-only. It's been discussed for quite a while, but there's one roadblock that we're looking for some help to overcome.

The authentication system (how you log in to post comments) is currently an stunnel instance listening on port 443, while the main site is OpenBSD's httpd running on port 80. httpd serves static content and the Undeadly CGI binary. stunnel's only job is checking credentials and (if successful) handing out a cookie. Getting rid of this old "split" setup requires code changes so that everything can be behind TLS, not just the authenticating bit.

In general, a lot of the code needs some major cleanup as well, so this may be a big project. We'd like to see a lot of the security constructs completely redone in a better way.

If you're a C coder, the source for the site can be found here. Send us an email if you're interested in helping.

[topicblog]

<< CfP EuroBSDCon 2016 | Reply | Flattened | Expanded | The p2k16 hackathon has begun >>

Threshold: Help

Related Links
more by tj


  Re: Undeadly and HTTPS (mod 16/74)
by Andrew Fresh (andrew) (andrew@afresh1.com) on Tue Apr 12 05:14:41 2016 (GMT)
http://www.afresh1.com
  I do have a semi-in-progress rewrite in Mojolicous::Lite that unfortunately $work has gotten in the way of, most of the backend work to get it reading existing articles is complete, it's mostly details left now.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod -13/79)
by foo (151.67.46.127) on Tue Apr 12 15:09:09 2016 (GMT)
  why don't u use PHP sessions via CGI on HTTPS ?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Please don't (was: Re: Undeadly and HTTPS) (mod -7/85)
by Anonymous Coward (cnst) on Tue Apr 12 19:22:50 2016 (GMT)
http://cnst.su/
 

Please don't.

Just don't do it.

There is no valid reason to deny access to the public content for people who, one way or another, cannot or don't want to use HTTPS.

Please don't establish a policy to deny readers of access.

Thanks.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod -9/71)
by Anonymous Coward (80.53.251.245) on Tue Apr 12 19:29:52 2016 (GMT)
  As a side note I find it a bit odd that OpenBSD related project uses pesky sudo instead of doas ;)
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod -6/78)
by Anonymous Coward (46.165.230.5) on Wed Apr 13 11:08:18 2016 (GMT)
  I do not understand the motivation behind undeadly.org switching to HTTPS only.

It is a journal of information accessible to the public. What kind of information is sensitive or private, to the extent that it would need HTTPS?

Mandating encryption on a public-access journal site with public-access comments will probably use more resources, thanks to encryption and decryption.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 6/76)
by ian (24.138.98.109) on Wed Apr 13 23:38:19 2016 (GMT)
  Some of you guys need to get out more. The entire web is moving to https, and Google is even down-ranking (now or soon) sites that aren't encrypted. What do you have against encryption? It offers some protection against malicious tampering; if you don't encrypt it, you have none. If you don't encrypt, blackhats can change an article on "Why I use OpenBSD" to "Why I hate OpenBSD", or even "Why I hate Windows", and you'll be left wondering WTF is that doing on Undeadly.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  stunnel (mod -2/68)
by Chas (147.154.235.102) on Thu Apr 14 20:18:23 2016 (GMT)
  Why don't you just move the current stunnel to 1443, then grep for "https" in the codebase and change it to "https://...:1443" and switch the CGI stunnel to the new port?

Then install a new stunnel that just points does a connect to localhost:80, and the TLS content will be exactly what port 80 spits out.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
      Re: stunnel (3/57) by Anonymous Coward on Fri Apr 15 13:08:37 2016 (GMT)
        Re: stunnel (2/54) by Chas on Fri Apr 15 18:19:37 2016 (GMT)
          Re: stunnel (3/57) by Anonymous Coward on Tue Apr 19 09:42:22 2016 (GMT)

  Re: Undeadly and HTTPS (mod 6/68)
by Anonymous Coward (91.196.8.156) on Fri Apr 15 08:04:40 2016 (GMT)
  static const char *secret = "lw1N0mN0t8a24UR4NY12AT55p/23FxJ9H6+NReXed8nTZJraO0g";

No longer a secret.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 6/66)
by Chris (198.163.128.1) on Mon Apr 18 18:16:37 2016 (GMT)
  I don't understand the merit of going HTTPS only. (Having it be possible is nice though.) This will kill access for some older non-updatable devices I have.

If you're going to downvote, please explain why HTTPS-only is necessary. Something more compelling than paranoid content-swapping stories please.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 3/63)
by Anonymous Coward (108.34.251.230) on Mon Apr 18 22:59:51 2016 (GMT)
  A) what happened with the Perl Rewrite?

B) can the whole setup not just be put behind relayd? If i recall, its more than capable of serving the whole site behind tls, in addition to supporting the www/auth split for those who want to use http.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 2/68)
by Anonymous Coward (93.115.95.216) on Tue Apr 19 14:52:53 2016 (GMT)
  Please don't let the few dumb people in the comments discourage this very logical decision.

Besides the points already made by other posters I would much prefer that for example me making this comment is kept between me and the undeadly sysadmins and that noone in-between us can see exactly what is going on.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 4/56)
by Anonymous Coward (93.104.32.73) on Fri Apr 22 18:58:24 2016 (GMT)
  So now someone can pledge() it. :-) I looked a little at the code. I'm a mediocre programmer and an even worse reader of others code, I gotta give it to you, that code is good. Small KNF violations though.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 5/63)
by Anonymous Coward (66.249.81.141) on Sat Apr 23 23:22:19 2016 (GMT)
  If at all possible, please keep an http version available as well. Just as a matter of free information principal.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 1/65)
by foo (151.67.77.113) on Sun Apr 24 12:50:59 2016 (GMT)
  make undeadly accessible only on an OpenSSH tunnel
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 4/48)
by bnt (107.155.85.172) (minseylena@gmail.com) on Tue Aug 2 17:24:21 2016 (GMT)
http://www.jeuxbanat.com/
  تعتبر العاب ماكياج وتلبيس بنات لعبة رائعة تبحث عنها جميع الفتيات من محبات موقع العاب بنات اللواتي اعتدن على الدخول لقسم العاب تلبيس بنات الرائع، حيث أن اللعبة تتوفر على الكثير من القطع الواجب عليك تلبيسها لفتاتنا الجميلة لتظهر في ابهى حلة،
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  download it here for android. (mod 1/37)
by download it here for android. (182.182.42.42) (muneerahmed400@gmail.com) on Sat Oct 8 18:08:37 2016 (GMT)
https://snaptube-apk.com
  Picking top gaming mouse in such manner will guarantee that you go over every one of those advantages that you envision to the center. download it here for android.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  read this article (mod 3/33)
by read this article (182.182.32.243) (muneerahmed400@gmail.com) on Fri Oct 14 05:44:13 2016 (GMT)
http://www.overwatch-boosting.com
  The web site is lovingly serviced and saved as much as date. So it should be, thanks for sharing this with us. read this article
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 0/0)
by jamesjack (103.50.159.252) on Sun Jul 16 10:42:59 2017 (GMT)
  Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. coolessay.net
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 0/0)
by Taylor (59.95.73.77) (taylorshaw151@gmail.com) on Wed Jul 19 09:00:24 2017 (GMT)
  I didnít have the slightest idea so many things have to be taken into consideration while migrating into a new site. Thanks for the detailed explanation regarding the whole process. Hope you will find a solution soon. Best of luck with the new site. mobile home prices
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 0/0)
by afreen (39.44.154.162) (partybirthdy@gmail.com) on Thu Jul 20 08:58:33 2017 (GMT)
  I have not any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.www.gzdbnl.blogspot.in/2017/07/dermagen-iq-tres-efficace-avec-expert.html
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 0/0)
by Dissertation Proposal Writing Service (39.44.55.39) (partybirthdy@gmail.com) on Thu Jul 20 14:55:12 2017 (GMT)
https://www.researchprospect.com/dissertation-services/proposal-writing-service-in-uk/
  i read a lot of stuff and i found that the way of writing to clearifing that exactly want to say was very good so i am impressed and ilike to come again in future..
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Undeadly and HTTPS (mod 0/0)
by www.hillfamilysoutherndivision.blogspot.in/2017/07/dermagen-iq- (39.44.86.127) (partybirthdy@gmail.com) on Thu Jul 20 16:11:25 2017 (GMT)
http://hillfamilysoutherndivision.blogspot.in/2017/07/dermagen-iq-review-creme-anti-age.html
  You have a genuine capacity for composing special substance. I like how you think and the way you speak to your perspectives in this article. I concur with your state of mind. Much obliged to you for sharing.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]