Re: OpenBSD Foundation on HTTPS
On Fri, 9 Feb 2018 12:35:25 +0100 > also, default redirect to HTTPS should be advisable The important thing is using secure cookies for logins. Otherwise SSL is less secure. It is required if authenticity of page content is beneficial of course. The performance claims are also fine and dandy if you have Googles money for newer processors or use cloud services, I guess? Anyone know if there are any cost implications of cloud SSL, cycle counts etc. or Intel AES-NI saves money in the cloud even?
Re: OpenBSD Foundation on HTTPS
On Fri, 9 Feb 2018 12:35:25 +0100 > https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html > > "Beginning in July 2018 with the release of Chrome 68, Chrome will > mark all HTTP sites as “not secure”." ^^ HTTP pages! And they admit the choice of words is poor but they can't think of any accurate ones that would have the desired affect. They should probably get rid of the certificate lifetime limits first else any laptop (likely an older generation) who's bios battery has died will now be DOS from the internet with the other changes already brought in.
Re: OpenBSD Foundation on HTTPS
Hello, https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html "Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”." so: http://www.openbsdfoundation.org/ http://firmware.openbsd.org/firmware/ any mirror that still uses just http, not https, pkg_* should only allow https communication any other? also, default redirect to HTTPS should be advisable HTTPS would provide integrity, privacy, authenticity. Have a great weekend! ps.: OpenBSD team is great! I am just advising that it would be better to use HTTPS. > Sent: Thursday, February 08, 2018 at 12:37 AM > From: "Charlie Eddy" > To: jer...@fuckthensa.nl > Cc: "Jonathan Thornburg" , misc@openbsd.org > Subject: Re: OpenBSD Foundation on HTTPS > > Hello Jonathan Thornburg, > > That is quite simple. The post will work. > > https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612 > > Regards, > > On Wed, Feb 7, 2018 at 6:42 AM, Jeroen wrote: > > > With HTTPS, can you be sure that the server isn't comprimised? With or > > without HTTPS, it's always a good idea to check wether the address is > > correct (a foundation has to be registered and at other places). > > > > On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote: > > > From http://www.openbsdfoundation.org/donations.html : > > > > Donations may be made by cheque in CAD/EUR/USD funds to: > > > > > > > > The OpenBSD Foundation > > > > 8101 160 Street > > > > Edmonton, Alberta, Canada > > > > T5R 2G9 > > > > > > Without https, how can one verify that that is the correct address? > > > > > > > > > > >
Re: OpenBSD Foundation on HTTPS
Hello Jonathan Thornburg, That is quite simple. The post will work. https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612 Regards, On Wed, Feb 7, 2018 at 6:42 AM, Jeroen wrote: > With HTTPS, can you be sure that the server isn't comprimised? With or > without HTTPS, it's always a good idea to check wether the address is > correct (a foundation has to be registered and at other places). > > On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote: > > From http://www.openbsdfoundation.org/donations.html : > > > Donations may be made by cheque in CAD/EUR/USD funds to: > > > > > > The OpenBSD Foundation > > > 8101 160 Street > > > Edmonton, Alberta, Canada > > > T5R 2G9 > > > > Without https, how can one verify that that is the correct address? > > > > > >
Re: OpenBSD Foundation on HTTPS
As far as I am concerned, HTTPS by itself doesn't do miracles. It involved more tech. Unless you can hack the global web infra, it's only possible to change this on a local network. Wouldn't there be more interesting targets in such situations? Don't get me wrong, I am not trying to downplay the lack of HTTPS. But I do understand why this has no priority whatsoever. Proper HTTPS is more than work than running ACME to get a certificate issued. DANE, CAA, etc. On Tue, 2018-02-06 at 15:43 -0800, Charlie Eddy wrote: > "Can I update the value of "hosted_button_id" and > send you to my Paypal account ?" > > this > > is much cleaner, more logical, more formal, and more sensible than > > "No need to have this one https type really there isn't any > information > you enter on it..." > > On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondras > wrote: > > > > If you actually donate and click on any links there you would see > > > it > > > bring you to a secure page. > > > > > > > But is this the right link ? Can I update the value of > > "hosted_button_id" > > and > > send you to my Paypal account ? > > > > Denis > > > >
Re: OpenBSD Foundation on HTTPS
With HTTPS, can you be sure that the server isn't comprimised? With or without HTTPS, it's always a good idea to check wether the address is correct (a foundation has to be registered and at other places). On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote: > From http://www.openbsdfoundation.org/donations.html : > > Donations may be made by cheque in CAD/EUR/USD funds to: > > > > The OpenBSD Foundation > > 8101 160 Street > > Edmonton, Alberta, Canada > > T5R 2G9 > > Without https, how can one verify that that is the correct address? > >
Re: OpenBSD Foundation on HTTPS
>From http://www.openbsdfoundation.org/donations.html : > Donations may be made by cheque in CAD/EUR/USD funds to: > > The OpenBSD Foundation > 8101 160 Street > Edmonton, Alberta, Canada > T5R 2G9 Without https, how can one verify that that is the correct address?
Re: OpenBSD Foundation on HTTPS
thank you for providing that email address, case closed as far as I'm concerned
Re: OpenBSD Foundation on HTTPS
Whilst that might seem like a fair argument, what would happen if I man in the middled your request for the http page? I could easily change the links to point to my malicious site, and with certificates being so easy to get, it would be relatively easy to make it look authentic as far as the "you end up on a secure page" argument goes and, given the quality of some spearphishing, the appearance of the page as well. Of course, none of that would be possible if all of the pages were TLS encrypted. Tom
Re: OpenBSD Foundation on HTTPS
On 2018-02-06, Daniel Ouellet wrote: > Come on guys. > > If you actually donate and click on any links there you would see it > bring you to a secure page. > > No need to have this one https type really there isn't any information > you enter on it... > > I guess the sand is way more think some places then others > > Must be nice beaches there and pretty bikini too I hope! Just because some payment processors somehow manage to get that iframe-served-by-insecure-site crap through pci-dss doesn't mean it's safe. Pages redirecting/linking/posting to or -embedding payment pages have just as high a security requirement as the payment pages themselves. You don't want them to be intercepted and modified. > On 2/6/18 1:03 PM, Charlie Eddy wrote: >> agreed - using HTTP instead of HTTPS is a great way to encourage that >> activity, and since I love having my head in the sand like an ostrich I >> encourage us to not encrypt the donation links to the most secure operating >> system available to the public. That way we can't donate securely to the >> foundation we support - the sand is great from down here If you don't trust the forms, you can use obsd-pay...@openbsdfoundation.org directly.
Re: OpenBSD Foundation on HTTPS
"Can I update the value of "hosted_button_id" and send you to my Paypal account ?" this is much cleaner, more logical, more formal, and more sensible than "No need to have this one https type really there isn't any information you enter on it..." On Tue, Feb 6, 2018 at 1:10 PM, Denis Fondras wrote: > > If you actually donate and click on any links there you would see it > > bring you to a secure page. > > > > But is this the right link ? Can I update the value of "hosted_button_id" > and > send you to my Paypal account ? > > Denis > >
Re: OpenBSD Foundation on HTTPS
> If you actually donate and click on any links there you would see it > bring you to a secure page. > But is this the right link ? Can I update the value of "hosted_button_id" and send you to my Paypal account ? Denis
Re: OpenBSD Foundation on HTTPS
Come on guys. If you actually donate and click on any links there you would see it bring you to a secure page. No need to have this one https type really there isn't any information you enter on it... I guess the sand is way more think some places then others Must be nice beaches there and pretty bikini too I hope! On 2/6/18 1:03 PM, Charlie Eddy wrote: > agreed - using HTTP instead of HTTPS is a great way to encourage that > activity, and since I love having my head in the sand like an ostrich I > encourage us to not encrypt the donation links to the most secure operating > system available to the public. That way we can't donate securely to the > foundation we support - the sand is great from down here > > On Tue, Feb 6, 2018 at 3:32 AM, Hess THR wrote: > >> troll on >> >> hey, yeah, you are absolutely right! >> >> no one would ever modify (since plain http) the example.: >> >> http://www.openbsdfoundation.org/donations.html >> >> page, where are the PayPal donation links, bitcoin donation links are, >> without anybody noticing! >> >> Why would someone do something like this? we live in a perfect world >> without bad people! yay pink ponies! >> >> troll off >> >> >>> Sent: Tuesday, February 06, 2018 at 12:23 PM >>> From: "Ian Sutton" >>> To: "Hess THR" >>> Cc: "misc@OpenBSD.org" >>> Subject: Re: OpenBSD Foundation on HTTPS >>> >>> Hi, >>> >>> There is no need. There is nothing secret on those web servers, there >>> is no logical reason to encrypt it. This issue has been discussed to >>> death. Please check archives. >>> >>> Ian >>> >>> On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: >>>> Hello, >>>> >>>> because HTTPS increases the authenticity, integrity, privacy: >> https://en.wikipedia.org/wiki/HTTPS >>>> >>>> going to apache/iis/nginx/linux will not increase "security". since >> they have very buggy code. >>>> >>>> but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting >> the code in the base? >>>> >>>> >>>>> Sent: Friday, December 15, 2017 at 12:11 PM >>>>> From: "Vivek Vinod" >>>>> To: "Hess THR" >>>>> Subject: Re: OpenBSD Foundation on HTTPS >>>>> >>>>> 1) Why do you want https support? >>>>> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest >> we shift to IIS as well? Wait, I guess more people use Linux, so we should >> stop using OpenBSD all together. >>>>> >>>>> >>>>> -Original Message- >>>>> From: on behalf of Hess THR < >> hessnovth...@mail.com> >>>>> Date: Friday, 15 December 2017 at 4:20 PM >>>>> To: , >>>>> Subject: OpenBSD Foundation on HTTPS >>>>> >>>>> Hello, Just noticed that the: http://www.openbsdfoundation.org/ >> doesn't >>>>> supports HTTPS, while in 2017 Dec, ~70% of the websites does: >>>>> https://letsencrypt.org/stats/#percent-pageloads Can we have >> HTTPS for >>>>> the OpenBSD Foundation? Which Official OpenBSD related domain >> hasn't got >>>>> HTTPS yet? I whish you happy holidays and again, Thanks for all >> the work! >>>>> BTW, wow: >>>>> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_ >> donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 >>>>> >>>> >>> >> >>
Re: OpenBSD Foundation on HTTPS
agreed - using HTTP instead of HTTPS is a great way to encourage that activity, and since I love having my head in the sand like an ostrich I encourage us to not encrypt the donation links to the most secure operating system available to the public. That way we can't donate securely to the foundation we support - the sand is great from down here On Tue, Feb 6, 2018 at 3:32 AM, Hess THR wrote: > troll on > > hey, yeah, you are absolutely right! > > no one would ever modify (since plain http) the example.: > > http://www.openbsdfoundation.org/donations.html > > page, where are the PayPal donation links, bitcoin donation links are, > without anybody noticing! > > Why would someone do something like this? we live in a perfect world > without bad people! yay pink ponies! > > troll off > > > > Sent: Tuesday, February 06, 2018 at 12:23 PM > > From: "Ian Sutton" > > To: "Hess THR" > > Cc: "misc@OpenBSD.org" > > Subject: Re: OpenBSD Foundation on HTTPS > > > > Hi, > > > > There is no need. There is nothing secret on those web servers, there > > is no logical reason to encrypt it. This issue has been discussed to > > death. Please check archives. > > > > Ian > > > > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: > > > Hello, > > > > > > because HTTPS increases the authenticity, integrity, privacy: > https://en.wikipedia.org/wiki/HTTPS > > > > > > going to apache/iis/nginx/linux will not increase "security". since > they have very buggy code. > > > > > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting > the code in the base? > > > > > > > > >> Sent: Friday, December 15, 2017 at 12:11 PM > > >> From: "Vivek Vinod" > > >> To: "Hess THR" > > >> Subject: Re: OpenBSD Foundation on HTTPS > > >> > > >> 1) Why do you want https support? > > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest > we shift to IIS as well? Wait, I guess more people use Linux, so we should > stop using OpenBSD all together. > > >> > > >> > > >> -Original Message- > > >> From: on behalf of Hess THR < > hessnovth...@mail.com> > > >> Date: Friday, 15 December 2017 at 4:20 PM > > >> To: , > > >> Subject: OpenBSD Foundation on HTTPS > > >> > > >> Hello, Just noticed that the: http://www.openbsdfoundation.org/ > doesn't > > >> supports HTTPS, while in 2017 Dec, ~70% of the websites does: > > >> https://letsencrypt.org/stats/#percent-pageloads Can we have > HTTPS for > > >> the OpenBSD Foundation? Which Official OpenBSD related domain > hasn't got > > >> HTTPS yet? I whish you happy holidays and again, Thanks for all > the work! > > >> BTW, wow: > > >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_ > donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 > > >> > > > > > > >
Re: OpenBSD Foundation on HTTPS
Hi, There is no need. There is nothing secret on those web servers, there is no logical reason to encrypt it. This issue has been discussed to death. Please check archives. Ian On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: > Hello, > > because HTTPS increases the authenticity, integrity, privacy: > https://en.wikipedia.org/wiki/HTTPS > > going to apache/iis/nginx/linux will not increase "security". since they have > very buggy code. > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code > in the base? > > >> Sent: Friday, December 15, 2017 at 12:11 PM >> From: "Vivek Vinod" >> To: "Hess THR" >> Subject: Re: OpenBSD Foundation on HTTPS >> >> 1) Why do you want https support? >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift >> to IIS as well? Wait, I guess more people use Linux, so we should stop using >> OpenBSD all together. >> >> >> -Original Message- >> From: on behalf of Hess THR >> Date: Friday, 15 December 2017 at 4:20 PM >> To: , >> Subject: OpenBSD Foundation on HTTPS >> >> Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't >> supports HTTPS, while in 2017 Dec, ~70% of the websites does: >> https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for >> the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got >> HTTPS yet? I whish you happy holidays and again, Thanks for all the work! >> BTW, wow: >> >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 >> >
Re: OpenBSD Foundation on HTTPS
troll on hey, yeah, you are absolutely right! no one would ever modify (since plain http) the example.: http://www.openbsdfoundation.org/donations.html page, where are the PayPal donation links, bitcoin donation links are, without anybody noticing! Why would someone do something like this? we live in a perfect world without bad people! yay pink ponies! troll off > Sent: Tuesday, February 06, 2018 at 12:23 PM > From: "Ian Sutton" > To: "Hess THR" > Cc: "misc@OpenBSD.org" > Subject: Re: OpenBSD Foundation on HTTPS > > Hi, > > There is no need. There is nothing secret on those web servers, there > is no logical reason to encrypt it. This issue has been discussed to > death. Please check archives. > > Ian > > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: > > Hello, > > > > because HTTPS increases the authenticity, integrity, privacy: > > https://en.wikipedia.org/wiki/HTTPS > > > > going to apache/iis/nginx/linux will not increase "security". since they > > have very buggy code. > > > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the > > code in the base? > > > > > >> Sent: Friday, December 15, 2017 at 12:11 PM > >> From: "Vivek Vinod" > >> To: "Hess THR" > >> Subject: Re: OpenBSD Foundation on HTTPS > >> > >> 1) Why do you want https support? > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we > >> shift to IIS as well? Wait, I guess more people use Linux, so we should > >> stop using OpenBSD all together. > >> > >> > >> -Original Message- > >> From: on behalf of Hess THR > >> > >> Date: Friday, 15 December 2017 at 4:20 PM > >> To: , > >> Subject: OpenBSD Foundation on HTTPS > >> > >> Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't > >> supports HTTPS, while in 2017 Dec, ~70% of the websites does: > >> https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for > >> the OpenBSD Foundation? Which Official OpenBSD related domain hasn't > >> got > >> HTTPS yet? I whish you happy holidays and again, Thanks for all the > >> work! > >> BTW, wow: > >> > >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 > >> > > >
Re: OpenBSD Foundation on HTTPS
Hello, because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS going to apache/iis/nginx/linux will not increase "security". since they have very buggy code. but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base? > Sent: Friday, December 15, 2017 at 12:11 PM > From: "Vivek Vinod" > To: "Hess THR" > Subject: Re: OpenBSD Foundation on HTTPS > > 1) Why do you want https support? > 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift > to IIS as well? Wait, I guess more people use Linux, so we should stop using > OpenBSD all together. > > > -Original Message- > From: on behalf of Hess THR > Date: Friday, 15 December 2017 at 4:20 PM > To: , > Subject: OpenBSD Foundation on HTTPS > > Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't > supports HTTPS, while in 2017 Dec, ~70% of the websites does: > https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for > the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got > HTTPS yet? I whish you happy holidays and again, Thanks for all the work! > BTW, wow: > > https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 >
OpenBSD Foundation on HTTPS
Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't supports HTTPS, while in 2017 Dec, ~70% of the websites does: https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got HTTPS yet? I whish you happy holidays and again, Thanks for all the work! BTW, wow: https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3