[opensuse] opensuse mailing list site ridiculousness
Hello: I tried to open openSUSE mailing lists in an older firefox, 24.8.1 ESR at http://lists.opensuse.org/ which redirects to https://lists.opensuse.org/ and the browser can't open the page, instead give an error message: "The connection was interrupted The connection to lists.opensuse.org was interrupted while the page was loading. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web." I guess the problem might be an authentication/key/certificate error. (Newer seamonkey can open the page). First I don't really get why looking at a mailing list page requires an https connection at all. I can imagine that some want secure connection to the mailing list site but automatic redirection should not occur. Third, many https site just work with this old firefox. https://software.opensuse.org/ doesn't open either. https://www.opensuse.org/ works. This should be fixed. Istvan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 15 June 2018 at 21:31, Istvan Gabor
I tried to open openSUSE mailing lists in an older firefox, 24.8.1 ESR at
https://www.opensuse.org/ works.
This should be fixed.
Istvan
I agree - www.opensuse.org should also reject traffic from a browser that old You're using such an old firefox that the modern, strong certificates used by most of our openSUSE infrastructure is not supported You shouldn't be using such an old insecure browser, and www.opensuse.org should be using a stronger certificate Thanks for the report -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/15/2018 12:45 PM, Richard Brown wrote:
On 15 June 2018 at 21:31, Istvan Gabor
wrote: I tried to open openSUSE mailing lists in an older firefox, 24.8.1 ESR at
https://www.opensuse.org/ works.
This should be fixed.
Istvan
I agree - www.opensuse.org should also reject traffic from a browser that old
You're using such an old firefox that the modern, strong certificates used by most of our openSUSE infrastructure is not supported
You shouldn't be using such an old insecure browser, and www.opensuse.org should be using a stronger certificate
Thanks for the report
... also, this should have gone to opensuse-web@opensuse.org instead of this list. -- -Gerry Makaro openSUSE Member openSUSE Forum Moderator openSUSE Contributor aka Fraser_Bell on the Forums, OBS, IRC, and mail at openSUSE.org Fraser-Bell on Github -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Gerry -- ...and then Fraser_Bell said... % ... % ... also, this should have gone to opensuse-web@opensuse.org instead % of this list. *rofl* Thank you :-) :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Istvan Gabor wrote:
Hello:
I tried to open openSUSE mailing lists in an older firefox, 24.8.1 ESR at
which redirects to
and the browser can't open the page, instead give an error message:
"The connection was interrupted
The connection to lists.opensuse.org was interrupted while the page was loading.
That is a problem of your browser/openSSL library, not https://lists.opensuse.org/ Older TLS versions have long been deprecated and now disabled. Payment providers around the world have been busy notifying customers that their browsers are outdated and no longer supported.
First I don't really get why looking at a mailing list page requires an https connection at all.
That is a Google preference thing. I agree with you, but Google gives preference to encrypted sites.
I can imagine that some want secure connection to the mailing list site but automatic redirection should not occur.
Hmm, you may have a point. Only redirecting for Google is a problem though.
Third, many https site just work with this old firefox.
Sure, they're also using outdated TLS.
https://software.opensuse.org/ doesn't open either.
https://www.opensuse.org/ works. This should be fixed.
The only likely fix is that https://www.opensuse.org/ will be upgraded to only use TLS v1.2 too. -- Per Jessen, Zürich (18.8°C) member, openSUSE Heroes. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Istvan Gabor wrote:
I can imagine that some want secure connection to the mailing list site but automatic redirection should not occur.
Hmm, you may have a point. Only redirecting for Google is a problem though.
Actually, I do wonder why we don't just keep both versions available - leave it to Google and the user to pick which version, http or https. I don't know if there is a good reason, I have added the question to the agenda for next Heroes meeeting. (in a couple of weeks). By the way, anyone is welcome to attend and ask difficult questions :-) https://progress.opensuse.org/issues/36817 -- Per Jessen, Zürich (19.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 6/15/2018 2:31 PM, Istvan Gabor wrote:
Hello:
I tried to open openSUSE mailing lists in an older firefox, 24.8.1 ESR at
Istvan
Istvan, I have built firefox_esr_52.8.1 for 13.1 (x86_64). In addition, you will probably need to mozilla-nss files which you may have to branch and build from the mozilla/ repo (but those are fairly small, so it shouldn't be a big deal) You may even simply be able to download the mozilla-nss.src.rpm and then do 'rpmbuild --rebuild mozilla-nss..src.rpm` The current esr firefox for 13.1 can be found here: http://download.opensuse.org/repositories/home:/drankinatty:/branches:/mozil... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/15/2018 03:46 PM, David C. Rankin wrote:
On 6/15/2018 2:31 PM, Istvan Gabor wrote:
Hello:
I tried to open openSUSE mailing lists in an older firefox, 24.8.1 ESR at
Istvan
Istvan,
I have built firefox_esr_52.8.1 for 13.1 (x86_64). In addition, you will probably need to mozilla-nss files which you may have to branch and build from the mozilla/ repo (but those are fairly small, so it shouldn't be a big deal) You may even simply be able to download the mozilla-nss.src.rpm and then do 'rpmbuild --rebuild mozilla-nss..src.rpm`
The current esr firefox for 13.1 can be found here:
http://download.opensuse.org/repositories/home:/drankinatty:/branches:/mozil...
Wolfgang has already prepare the mozilla-nss package for x86_64 for 13.1, check the mozilla repo, or the direct build service packages at https://build.opensuse.org/package/binaries/mozilla/mozilla-nss/openSUSE_13.... you may need the mozilla-nspr package as well. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Freitag, 15. Juni 2018, 21:31:08 CEST schrieb Istvan Gabor:
First I don't really get why looking at a mailing list page requires an https connection at all.
please step away from your computer. -- Mathias Homann Senior Systems Engineer, IT Consultant. IT Trainer Mathias.Homann@openSUSE.org http://www.tuxonline.tech gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
Mathias Homann composed on 2018-06-15 23:22 (UTC+0200):
Istvan Gabor composed:
First I don't really get why looking at a mailing list page requires an https connection at all.
please step away from your computer.
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts. -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-15 23:29, Felix Miata wrote:
Mathias Homann composed on 2018-06-15 23:22 (UTC+0200):
Istvan Gabor composed:
First I don't really get why looking at a mailing list page requires an https connection at all.
please step away from your computer.
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern bloated browsers to read static pages: 64 bit download size Linux version from mozilla.org Mozilla 1.0: 13M 2002 (32 bit) Firefox 1.0: 7.9M 2004 (32 bit) Mozilla 1.7.13: 14M 2006 (32 bit) Firefox 2.0.0.20: 9.3M 2008 (32 bit) SeaMonkey 2.0: 13M 2009 (32 bit) SeaMonkey 1.1.19: 15M 2010 (32 bit) Firefox 4.0: 15M 2010 Firefox 3.6.28: 11M 2012 (32 bit) Firefox ESR 10.0.12: 19M 2013 Firefox ESR 17.0.11: 23M 2013 Firefox ESR 24.8.1: 28M 2014 Firefox ESR 31.8.0: 38M 2015 Firefox ESR 38.8.0: 45M 2016 Firefox ESR 45.9.0: 50M 2017 SeaMonkey 2.49.3: 49M 2018 Firefox ESR 52.8.1: 56M 2018-06 Firefox ESR 60.0.2: 51M 2018-06 (sans most extensions) -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern bloated browsers to read static pages:
You missed what he said about google ;-) Google wants encryption. Google will not index plain sites. Ergo, use encryption. From that follows use browsers that support the encryption that google wants... What anybody elses think about it being absurd to encode text that is static and freely available is irrelevant :-P -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts. Per has explained the real reason why old browsers are not supported and encryption is enforced. "Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern bloated browsers to read static pages:
You missed what he said about google ;-)
Google wants encryption. Google will not index plain sites.
So if everyone uses plain text on their web sites, then google won't index anything? That sounds a bit absurd. Do you have a source for that -- that using plaintext will keep your site from appearing in google? That just seems too simple of a way to keep google out of anything.
What anybody elses think about it being absurd to encode text that is static and freely available is irrelevant :-P
If many people are concerned about google & privacy, it seems like a great way to keep google out. The only thing I noticed was that it became impossible to cache things and every call to anything had to go out live. I added my own roots @ home and installed them in the client machines, so squid could start caching again. My housemate's browsing on youtube went from about 15-20 seconds/page to about 1 second/page. He was very happy. So tell me why everyone is kissing google's behind again? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op zaterdag 16 juni 2018 01:41:19 CEST schreef L A Walsh:
Carlos E. R. wrote:
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern
bloated browsers to read static pages: You missed what he said about google ;-)
Google wants encryption. Google will not index plain sites.
--- So if everyone uses plain text on their web sites, then google won't index anything? That sounds a bit absurd. Do you have a source for that -- that using plaintext will keep your site from appearing in google?
That just seems too simple of a way to keep google out of anything.
What anybody elses think about it being absurd to encode text that is static and freely available is irrelevant :-P
--- If many people are concerned about google & privacy, it seems like a great way to keep google out.
The only thing I noticed was that it became impossible to cache things and every call to anything had to go out live. I added my own roots @ home and installed them in the client machines, so squid could start caching again.
My housemate's browsing on youtube went from about 15-20 seconds/page to about 1 second/page. He was very happy.
So tell me why everyone is kissing google's behind again? Linda, please read Per's reply and the first bit of the thread. This isn't about Google, or whatever, it's about someone with a 13.1 install complaining about websites not working ( browser outdated ), and that lists.opensuse.org could very well do without SSL ( to keep working with an outdated browser ).
One of the reasons that SSL is forced on most websites is that without this it would cause that Google ( most used, whether we like it or not ) and other search engines wouldn't index the site. Plus, EU governments acticvely teach their citizens *not* to trust http:// sites. The fact that browsers have developed new features that make me aware, f.e. that some https page redirects me to an http page? That all up to date browsers warn my dad for not trusting an http site. I'll thank all involved for making stuff like that. I don't see this as google kissing. AFAICT Google was just an example. -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-16 02:44, Knurpht@openSUSE wrote:
Op zaterdag 16 juni 2018 01:41:19 CEST schreef L A Walsh:
Carlos E. R. wrote:
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern
bloated browsers to read static pages: You missed what he said about google ;-)
Google wants encryption. Google will not index plain sites.
--- So if everyone uses plain text on their web sites, then google won't index anything? That sounds a bit absurd. Do you have a source for that -- that using plaintext will keep your site from appearing in google?
That just seems too simple of a way to keep google out of anything.
What anybody elses think about it being absurd to encode text that is static and freely available is irrelevant :-P
--- If many people are concerned about google & privacy, it seems like a great way to keep google out.
The only thing I noticed was that it became impossible to cache things and every call to anything had to go out live. I added my own roots @ home and installed them in the client machines, so squid could start caching again.
My housemate's browsing on youtube went from about 15-20 seconds/page to about 1 second/page. He was very happy.
So tell me why everyone is kissing google's behind again? Linda, please read Per's reply and the first bit of the thread. This isn't about Google, or whatever, it's about someone with a 13.1 install complaining about websites not working ( browser outdated ), and that lists.opensuse.org could very well do without SSL ( to keep working with an outdated browser ).
One of the reasons that SSL is forced on most websites is that without this it would cause that Google ( most used, whether we like it or not ) and other search engines wouldn't index the site. Plus, EU governments acticvely teach their citizens *not* to trust http:// sites.
Only when money or privacy is involved, not for plain and public information services. Anyway, I have not seen any such advice from my government yet. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Le 16/06/2018 à 02:44, Knurpht@openSUSE a écrit :
One of the reasons that SSL is forced on most websites is that without this it
I follow this thread, but only partially, so I may have missed something, but I see some words about "encryption". The web site do not have to be encrypted, only accessed through ssl/tls or such, that is only the link between user and server have to be protected ssh like, and my own site is not and works well (see signature) jdd -- http://dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-16 08:23, jdd@dodin.org wrote:
Le 16/06/2018 à 02:44, Knurpht@openSUSE a écrit :
One of the reasons that SSL is forced on most websites is that without this it
I follow this thread, but only partially, so I may have missed something, but I see some words about "encryption". The web site do not have to be encrypted, only accessed through ssl/tls or such, that is only the link between user and server have to be protected ssh like, and my own site is not and works well (see signature)
Well, yes, it is about encryption of the transport so that the bad guys can not intercept us when reading the ancient opensuse mail list archive
:-)
It is also about us knowing that when we click on the openSUSE mail list archive we don't get some terrorist site feeding us subtly faked mails with perverted Linux advice that subvert our Linux computer into terrorist nodes >:-P -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Knurpht@openSUSE wrote:
So tell me why everyone is kissing google's behind again? Linda, please read Per's reply and the first bit of the thread. This isn't about Google, or whatever, it's about someone with a 13.1 install complaining about websites not working ( browser outdated ), and that lists.opensuse.org could very well do without SSL ( to keep working with an outdated browser ).
One of the reasons that SSL is forced on most websites is that without this it would cause that Google ( most used, whether we like it or not ) and other search engines wouldn't index the site.
One of the reasons I point this out is that I don't believe it and it's not true. Most of the web was not encrypted 5-10 years ago and google indexed them. Just because google wants https to protect their adstream, doesn't mean that at some point in time they will STOP indexing sites that don't use https. They'd be shooting themselves in the foot. They WANT to index everything -- and that includes http and ftp sites. So please don't use google as an excuse for forcing on encryption. There's no need for it for most things. No one is forcing encryption on people.
Plus, EU governments acticvely teach their citizens *not* to trust http:// sites.
I've never heard that. Do you have a source for it? Furthermore, I don't believe it in regards to non-sensitive data.
The fact that browsers have developed new features that make me aware, f.e. that some https page redirects me to an http page? That all up to date browsers warn my dad for not trusting an http site. I'll thank all involved for making stuff like that.
I've not encountered any such broken browsers -- vs. if you send DATA to them (i.e. submit text to them), then I've seen warnings that your text is not encrypted. That's very different from pure "browsing". I've also seen many sites that use https for passwords but http for non sensitive data.
I don't see this as google kissing. AFAICT Google was just an example.
--- But it is google kissing. Google has been the one pushing for it -- but it's not needed for most things. They want it to make sure their ads get through/can't be filtered except, maybe, at the browser -- which they also control if you use chrome. Now, since everything is encrypted, NOTHING is particularly safer or more sensitive. My bank and finances go through the same decrypting proxy as text on slashdot. If I don't put in exceptions for sensitive web sites, they automatically get decrypted now -- because thats what the new standard that google has given us. It's less safe than it used to be -- anyone who wants to monitor traffic now finds a way to decrypt -- because if they don't they will have nothing. Vs. 10 years ago, they'd have 90+% of the traffic, and the rest they'd have the website (finance, maybe medical) name and know that it was probably "boring" and not worth decrypting for monitoring network connections for usage that goes against policies. Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic. I have a not super-fast connection. So I have always supplemented it with a large cache. Sometimes works better, sometimes not. But overall, 10-30% of my traffic can come from a cache. Right now(looking at recent activity):
squidstats Hits/Total Bytes/Total mem: 28% (367/1287) 27% (14M/52M) dsk: 3% (40/1287) 0% (202K/52M) tot: 31% (407/1287) 27% (15M/52M)
Cacheable traffic had slowly dropped off, but w/google pushing for everything encrypted, it made sense to use a decrypting proxy. Now, while long term (disk) usage is still down (in the past I've gotten 700+MB images out of my disk cache 2-3 months later when I'd forgotten I already downloaded an ISO -- but the cache still had it). But short term use is still reasonable. So people can give excuses like google...but they will never stop indexing -- it would go against what they do. BTW, if you want proof, I looked up words: atkmm1_6-doc-2.24.2-2.1.noarch.rpm 08-Mar-2018 542K It picked up this unencrypted website: "http://www.nic.funet.fi/index/opensuse/tumbleweed/repo/oss/noarch/" It's not the only one. You may think I'm talking "off topic"...but I'm not. There's no reason for such security on a public web-copy of a email list, nor a distro-download site (that does have other methods of guaranteeing integrity). Cheers! :-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I've not encountered any such broken browsers -- vs. if you send DATA to them (i.e. submit text to them), then I've seen warnings that your text is not encrypted. That's very different from pure "browsing". I believe marking all http sites as insecure is soon to be the default behavior in both Firefox and Chrome, https is king now that it is easy for every site to obtain a certificate. Why encrypt a public mailing
On 06/16/2018 09:45 PM, L A Walsh wrote: list? Because perhaps the users of the list would prefer their government or ISP doesn't see what messages they are reading and interacting with, even if they do happen to know the domain. I see little reason to break enhanced security and privacy protections for side cases and users with ridiculously outdated software, but if a person chooses to break encryption to enable caching in their own environment that is their prerogative (and many businesses do the same for SSL inspection). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-17 07:00, Steven Susbauer wrote:
I've not encountered any such broken browsers -- vs. if you send DATA to them (i.e. submit text to them), then I've seen warnings that your text is not encrypted. That's very different from pure "browsing". I believe marking all http sites as insecure is soon to be the default behavior in both Firefox and Chrome, https is king now that it is easy for every site to obtain a certificate. Why encrypt a public mailing
On 06/16/2018 09:45 PM, L A Walsh wrote: list? Because perhaps the users of the list would prefer their government or ISP doesn't see what messages they are reading and interacting with, even if they do happen to know the domain.
No, that's moot. The government and anybody can browse the entire mail archive unimpeded. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Hello, Am Sonntag, 17. Juni 2018, 10:06:28 CEST schrieb Carlos E. R.:
On 2018-06-17 07:00, Steven Susbauer wrote:
I believe marking all http sites as insecure is soon to be the default behavior in both Firefox and Chrome, https is king now that it is easy for every site to obtain a certificate. Why encrypt a public mailing list? Because perhaps the users of the list would prefer their government or ISP doesn't see what messages they are reading and interacting with, even if they do happen to know the domain. No, that's moot. The government and anybody can browse the entire mail archive unimpeded.
The entire archive, yes. But knowing which specific mails you are looking at might make a difference. For example, it might look suspicious if you only read mails about disc encryption and setting up GPG, because, you know, only terrorists use encryption ;-) Needless to say that, using this definition, I'm a terrorist ;-) I also remember a case when someone sent an encrypted mail to the opensuse-de mailinglist. Maybe it was a mistake, maybe it was intentional to send someone (a subscriber or someone later reading the archive) an encrypted message without making the recipient clear. If it was the latter, catching someone to read exactly that mail in the archive wouldn't be nice ;-) Another (already mentioned) point is ensuring integrity - using https also makes sure that you get what the server delivers instead what a MITM makes out of it. I probably don't need to tell you that changing a recommended command to "rm -rf /" [1] would be a bit ;-) harmful, right? Regards, Christian Boltz [1] it should be obvious, but in case it's not: do NOT run this command, unless you want to destroy your system --
No, much like a dickhead really. From you, that can only be taken as a compliment. Thanks ;) [> Basil Chupin and Graham Anderson in opensuse-factory]
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-17 11:27, Christian Boltz wrote:
Hello,
Am Sonntag, 17. Juni 2018, 10:06:28 CEST schrieb Carlos E. R.:
On 2018-06-17 07:00, Steven Susbauer wrote:
I believe marking all http sites as insecure is soon to be the default behavior in both Firefox and Chrome, https is king now that it is easy for every site to obtain a certificate. Why encrypt a public mailing list? Because perhaps the users of the list would prefer their government or ISP doesn't see what messages they are reading and interacting with, even if they do happen to know the domain. No, that's moot. The government and anybody can browse the entire mail archive unimpeded.
The entire archive, yes. But knowing which specific mails you are looking at might make a difference. For example, it might look suspicious if you only read mails about disc encryption and setting up GPG, because, you know, only terrorists use encryption ;-)
Ha! :-) That's a point :-) Unless they install an appropriate ssl proxy...
Needless to say that, using this definition, I'm a terrorist ;-)
I also remember a case when someone sent an encrypted mail to the opensuse-de mailinglist. Maybe it was a mistake, maybe it was intentional to send someone (a subscriber or someone later reading the archive) an encrypted message without making the recipient clear. If it was the latter, catching someone to read exactly that mail in the archive wouldn't be nice ;-)
We could create a PGP identity for each of the mail lists and send encrypted :-p Oh, wait...
Another (already mentioned) point is ensuring integrity - using https also makes sure that you get what the server delivers instead what a MITM makes out of it. I probably don't need to tell you that changing a recommended command to "rm -rf /" [1] would be a bit ;-) harmful, right?
Right :-)
[1] it should be obvious, but in case it's not: do NOT run this command, unless you want to destroy your system
-- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Steven Susbauer wrote:
On 06/16/2018 09:45 PM, L A Walsh wrote:
I've not encountered any such broken browsers -- vs. if you send DATA to them (i.e. submit text to them), then I've seen warnings that your text is not encrypted. That's very different from pure "browsing".
I believe marking all http sites as insecure is soon to be the default behavior in both Firefox and Chrome,
Not being secured with https != being insecure.
https is king now that it is easy for every site to obtain a certificate.
Which is still no reason to force https on people. By all means offer an enceypted connection for your site, but only force the redirect if you have good reason to. -- Per Jessen, Zürich (19.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-17 06:45, L A Walsh wrote:
Knurpht@openSUSE wrote:
The fact that browsers have developed new features that make me aware, f.e. that some https page redirects me to an http page? That all up to date browsers warn my dad for not trusting an http site. I'll thank all involved for making stuff like that.
I've not encountered any such broken browsers -- vs. if you send DATA to them (i.e. submit text to them), then I've seen warnings that your text is not encrypted. That's very different from pure "browsing".
This feature exists, somewhere I've seen it. You are browsing https, get http instead, warn.
I've also seen many sites that use https for passwords but http for non sensitive data.
Yes, many, but fewer now.
I don't see this as google kissing. AFAICT Google was just an example.
But it is google kissing. Google has been the one pushing for it -- but it's not needed for most things. They want it to make sure their ads get through/can't be filtered except, maybe, at the browser -- which they also control if you use chrome.
That may be their real reason, yes. ...
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic.
Ah, caches stop working. Good point.
So people can give excuses like google...but they will never stop indexing -- it would go against what they do.
They get lower priority.
BTW, if you want proof, I looked up words: atkmm1_6-doc-2.24.2-2.1.noarch.rpm 08-Mar-2018 542K
It picked up this unencrypted website: "http://www.nic.funet.fi/index/opensuse/tumbleweed/repo/oss/noarch/"
It's not the only one.
Well, Per said he would propose having both versions.
You may think I'm talking "off topic"...but I'm not. There's no reason for such security on a public web-copy of a email list, nor a distro-download site (that does have other methods of guaranteeing integrity).
There was talk about making the main opensuse download site encrypted (before google got interested), but only to ensure that some of the requests that are not protected by PGP get the site default instead. The metadata that tells us what to download. And no spoofing. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump -- Per Jessen, Zürich (19.4°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't? We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache. Thus protecting the web archive with https is moot, the evil government can still read what we read ;-P -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't?
We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache.
AFAICT, the user is warned about a possible man-in-the-middle attack. The article is quite clear about it. -- Per Jessen, Zürich (19.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-17 11:57, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't?
We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache.
AFAICT, the user is warned about a possible man-in-the-middle attack. The article is quite clear about it.
Sure. But I will not know if my ISP places such a cache on their network. Or a government spy. Being spies or thieves means they are not obligated to tell me. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-06-17 11:57, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't?
We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache.
AFAICT, the user is warned about a possible man-in-the-middle attack. The article is quite clear about it.
Sure.
But I will not know if my ISP places such a cache on their network.
Yes, I think that is the whole point. Squid cannot decrypt your https traffic without your browser warning you. -- Per Jessen, Zürich (19.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-17 13:07, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 11:57, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
> Thank-you google for making the need for decryption a standard > such that even I go through the trouble so I can continue to > cache traffic.
Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't?
We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache.
AFAICT, the user is warned about a possible man-in-the-middle attack. The article is quite clear about it.
Sure.
But I will not know if my ISP places such a cache on their network.
Yes, I think that is the whole point. Squid cannot decrypt your https traffic without your browser warning you.
And others, more malicious, can they do it silently? -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-06-17 13:07, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 11:57, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
> On 2018-06-17 06:45, L A Walsh wrote: > >> Thank-you google for making the need for decryption a standard >> such that even I go through the trouble so I can continue to >> cache traffic. > > Ah, caches stop working. Good point.
Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't?
We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache.
AFAICT, the user is warned about a possible man-in-the-middle attack. The article is quite clear about it.
Sure.
But I will not know if my ISP places such a cache on their network.
Yes, I think that is the whole point. Squid cannot decrypt your https traffic without your browser warning you.
And others, more malicious, can they do it silently?
I don't see how, but I'm no expert. If it could be done silently, I think squid would have offered that option too. -- Per Jessen, Zürich (21.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2018-06-17 11:01, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-06-17 06:45, L A Walsh wrote:
Thank-you google for making the need for decryption a standard such that even I go through the trouble so I can continue to cache traffic. Ah, caches stop working. Good point. Not entirely, I think squid has been doing some work: https://wiki.squid-cache.org/Features/SslBump
It is an interesting point, isn't?
We use https to be secure when talking to the bank, yet it is possibly to put a proxy server that deciphers the traffic and provides a cache.
Thus protecting the web archive with https is moot, the evil government can still read what we read ;-P
Isn't that what I was saying in my last message (from yesterday)? SslBump provides the decryption -- it's basically a WITM setup --- `cept I'm the Woman-In-The-Middle. That's what I was talking about - now I decrypt so instead of one long 'CONNECT' stream of encrypted traffic, I see the CONNECT messages, and the individual objects within. Making it work right, isn't trivial. You also have to install your own root_CA's in every client's CA_certificate store (clients on Windows AND linux) as a trusted 'root'. That's where governments and large, well funded ISP's put their own rootCA Per Jessen wrote:
AFAICT, the user is warned about a possible man-in-the-middle attack. The article is quite clear about it.
If you setup the same cert as Trusted root and as a web-signer, or don't install it on the client system, then yes, you may get a message from some SW, but install a root cert on all your client systems, then use it to create/sign on-the-fly web-certs and you shouldn't see any messages. Only time I saw a message is when I had _not_ installed my cert in my clients' trusted root list. For government or sufficient large corps, they pay to have it inserted in the public CA_authority lists. I mean the FBI comes along with a security letter to some company that forces them to silently comply -- how would you know? Companies on the rootCA list, to name a few: BofA - do you trust them? Equifax -- and you know how well they handle security. Government Root Cert Auth(Taiwan gov) RSA (who has been rumored to cooperate w/CIA et al "Go Daddy" -- nuf said. Visa -- its everwhere they wanna be.. Verisign Wells Fargo - remember how they screwed their customers and got caught red-handed? --- Those are just some more famous names, there quite a few distributed along with standard browser SW. This was my point -- https everywhere is really doing more harm than good. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/17/2018 09:33 AM, L A Walsh wrote:
Those are just some more famous names, there quite a few distributed along with standard browser SW.
Yes, and companies that have misused or been poor stewards of their responsibility as root CAs have been removed from browsers before, both private companies and government. Some CAs have also been removed because they do a poor job of of publishing lists of certificates they have issued for audit. Symantec was a recent removal for such reasons, this of course will heavily affect (IE: destroy) their PKI business. These things do not happen in a vacuum. If you are the target of a nation, more likely they will update your CA certificates, but that is not the situation for most. The majority of general monitoring will trigger warnings, and even in the corporate environment Firefox will do so unless extra measures are taken, because it ships with its own certificate store. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
L A Walsh wrote:
Knurpht@openSUSE wrote:
So tell me why everyone is kissing google's behind again? Linda, please read Per's reply and the first bit of the thread. This isn't about Google, or whatever, it's about someone with a 13.1 install complaining about websites not working ( browser outdated ), and that lists.opensuse.org could very well do without SSL ( to keep working with an outdated browser ).
One of the reasons that SSL is forced on most websites is that without this it would cause that Google ( most used, whether we like it or not ) and other search engines wouldn't index the site.
One of the reasons I point this out is that I don't believe it and it's not true.
I agree. Google is encouraging/promoting encryption: https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
Plus, EU governments acticvely teach their citizens *not* to trust http:// sites.
I've never heard that. Do you have a source for it?
I haven't heard that one either. -- Per Jessen, Zürich (19.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/16/2018 09:45 PM, L A Walsh wrote:
You may think I'm talking "off topic"...but I'm not. There's no reason for such security on a public web-copy of a email list, nor a distro-download site (that does have other methods of guaranteeing integrity).
I once experienced a Tippingpoint IPS device that generated a false-positive on one of openSUSE's repos. The IPS would interrupt the download and abort the TCP session. I didn't have administrative access to the IPS and so couldn't see exactly what it was tripping on and couldn't disable the filter. We just lived without updates until the false-positive was itself updated away. The IPS did deep-packet inspection only on http, it wasn't a MITM decrypter Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote: The IPS did deep-packet inspection only on http, it
wasn't a MITM decrypter
How do they do deep-packet inspection if they can't peek inside the encrypted stream? I can't say for certain, but I always assumed deep packet inspection implied some sort of decrypting. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/17/2018 09:37 AM, L A Walsh wrote:
Lew Wolfgang wrote: The IPS did deep-packet inspection only on http, it
wasn't a MITM decrypter
How do they do deep-packet inspection if they can't peek inside the encrypted stream? I can't say for certain, but I always assumed deep packet inspection implied some sort of decrypting.
The IPS didn't do deep-packet inspection of https, which is why my problem would have gone away if the repos were https, The IPS deep-packet inspected only the unencrypted sessions. Note that I've not been involved with the IPS there for years, but to the best of my knowledge they still don't do MITM https stream unpacking at this time. BTW, I think it's possible to detect enterprise-level MITM decryption, but don't know the details. I vaguely remember something about certificate pinning. Any thoughts? I haven't googled this yet... Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/17/2018 09:52 AM, Lew Wolfgang wrote:
BTW, I think it's possible to detect enterprise-level MITM decryption, but don't know the details. I vaguely remember something about certificate pinning. Any thoughts? I haven't googled this yet...
Yes, pinning throws a wrench in the man in the middle SSL attacks by causing a browser to trust only the legitimate certificate for a timeframe, even if a trusted CA also presents a certificate for that site. In some cases it may be permanent, for example since Google ships Chrome they can also tell Chrome that only a specific CA will issue certificates for google.com, and certs issued by another CA will remain untrusted. Also, you can always tell if something is going on by looking at the certificate chain itself in your browser. Unless your company is going so far as to set up CAs with legitimate but faked names, they are not going to match the actual certificate chain. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-16 01:41, L A Walsh wrote:
Carlos E. R. wrote:
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts. Per has explained the real reason why old browsers are not supported and encryption is enforced. "Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern bloated browsers to read static pages:
You missed what he said about google ;-)
Google wants encryption. Google will not index plain sites.
So if everyone uses plain text on their web sites, then google won't index anything? That sounds a bit absurd. Do you have a source for that -- that using plaintext will keep your site from appearing in google?
At least you get lower priority. No, I don't have a source, I'm not a web admin. But I have heard of it more than once, the last time here in this thread.
That just seems too simple of a way to keep google out of anything.
:-)
What anybody elses think about it being absurd to encode text that is static and freely available is irrelevant :-P
If many people are concerned about google & privacy, it seems like a great way to keep google out.
But the thing is, we do want our web to be indexed and articles to be found. I heard that the mail archive search wasn't working right, so google indexing it is a possibility. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Op zaterdag 16 juni 2018 01:17:34 CEST schreef Carlos E. R.:
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern
bloated browsers to read static pages: You missed what he said about google ;-)
Google wants encryption. Google will not index plain sites. Ergo, use encryption. From that follows use browsers that support the encryption that google wants... What anybody elses think about it being absurd to encode text that is static and freely available is irrelevant :-P
That's one good reason. Overhere we have public advertisements from the Government telling us not to trust non-https sites. I know there's some other EU countries that send out such warnings. IMHO any website/webinterface should have https enabled. My 2 cents: using an outdated browser on an outdated system should be a no go for a linux user. Like a car owner expecting nothing to happen after 5 years without maintenance. -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2018-06-16 00:29, Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern bloated browsers to read static pages:
You missed what he said about google ;-)
Google wants encryption. Google will not index plain sites.
AFAIU, we're not quite there (yet). I haven't looked at it in any detail, but apparently Google will give preference to encrypted sites over unencrypted. I.e. rank them higher. -- Per Jessen, Zürich (18.7°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
Carlos E. R. composed on 2018-06-15 23:36 (UTC+0200):
Felix Miata wrote:
I don't get it either. Scripts and pictures aren't necessary parts of viewing archived mailing list posts.
Per has explained the real reason why old browsers are not supported and encryption is enforced.
"Older TLS versions have long been deprecated and now disabled" is an oversimplification that doesn't explain why everyone must only use modern bloated browsers to read static pages:
The two are not related. If you can dig out an old browser and build it with a modern openSSL library, your old browser will continue to work just fine. -- Per Jessen, Zürich (18.6°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (15)
-
Carlos E. R.
-
Christian Boltz
-
David C. Rankin
-
David T-G
-
Felix Miata
-
Fraser_Bell
-
Istvan Gabor
-
jdd@dodin.org
-
Knurpht@openSUSE
-
L A Walsh
-
Lew Wolfgang
-
Mathias Homann
-
Per Jessen
-
Richard Brown
-
Steven Susbauer