Contributed by tj on from the crowdsourcing dept.
The authentication system (how you log in to post comments) is currently an stunnel instance listening on port 443, while the main site is OpenBSD's httpd running on port 80. httpd serves static content and the Undeadly CGI binary. stunnel's only job is checking credentials and (if successful) handing out a cookie. Getting rid of this old "split" setup requires code changes so that everything can be behind TLS, not just the authenticating bit.
In general, a lot of the code needs some major cleanup as well, so this may be a big project. We'd like to see a lot of the security constructs completely redone in a better way.
(Comments are closed)