HTTPS for 6502.org?

[BigEd]

Thanks Alex - already mentioned upthread.

BigEd wrote:

(I know Mike is aware of a need, eventually, to go to HTTPS, and is aware of LetsEncrypt and similar, but it's evidently not a priority. I've offered to help, too. It feels best not to keep bugging him about it!)

[Martin_H]

Here's a funny story about HTTPS.

I was at a hotel in Washington yesterday and tried to use their WiFi. I could connect, but when I went to Google I got an error that the browser wouldn't let me proceed due to a broken SSL connection and Googles HSTS policy. I was completely baffled as previously I would just hit the proceed link at the bottom and the captive portal would authenticate.

So what do you do when you have a baffling error and can't Google it? I popped out my phone and used the wireless network to Google it, and went down the HTTP Strict Transport Security (HSTS) headers and captive portal authentication gotcha rabbit hole.

The bottom line is that the only workaround is to go to a HTTP site first, allow the captive portal to authenticate, then go to HTTPS sites afterwards. But what sites are using HTTP now? I tried all manner of sites and kept getting hit with the bug.

Then a solution hit me, a site that is steadfastly using HTTP! I went to this forum and the problem was solved. But quite honestly this is a huge flaw that Google is ignoring and they need to work with the captive portal venders to fix it.

[cjs]

Martin_H wrote:

The bottom line is that the only workaround is to go to a HTTP site first, allow the captive portal to authenticate, then go to HTTPS sites afterwards. But what sites are using HTTP now?

example.com. And it always will be, because that's the IETF standard test site for HTTP.

As for the security stuff; it's easy to fabricate excuses for why bad actors shouldn't be interested in attacking your system. But that's generally a good way to have a security issue in the future, because the attackers are far more motivated than you are to find some way to make use of your system for nefarious purposes.

[Martin_H]

cjs wrote:

example.com. And it always will be, because that's the IETF standard test site for HTTP.

Hey thanks for the link! That will help in the future.

As for the captive portal issue. I have noticed a number of hotels getting rid of the authentication screen, and I wondered why. My guess is explaining this issue to random guests isn't possible. Telling them to type in example.com first is a lost cause.

[Mike Naberezny]

Martin_H wrote:

Then a solution hit me, a site that is steadfastly using HTTP! I went to this forum and the problem was solved.

There's nothing steadfast about it, there's an active effort to migrate, which has already been talked about on the forum.

[Martin_H]

Mike Naberezny wrote:

There's nothing steadfast about it, there's an active effort to migrate, which has already been talked about on the forum.

OK, unfortunate choice of words then. I just thought I would share both the knowledge of the captive portal authentication bug, and how the current configuration solved my issue.

[Alarm Siren]

Yeah, I can confirm that it is in-progress. Mike actually showed me the new HTTPS enabled version of the site, as-was at the time. Though the link appears to be dead now

[fachat]

Let me necropost this.

I was sitting in Edinburgh in a cafe and no Internet except unencrypted WIFI...
Even though I was using a VPN home ...

This site should indeed have TLS

André

[Agumander]

But then how will I browse it from my early 2000's iMac?

[fachat]

Agumander wrote:

But then how will I browse it from my early 2000's iMac?

He can offer both, HTTP and HTTPS.

[6502inside]

Agumander wrote:

But then how will I browse it from my early 2000's iMac?

TenFourFox supports TLS 1.3 on Power Macs, if the iMac can run at least 10.4. Otherwise, Classilla can be pointed at a Crypto Ancienne installation to do the crypto for it.

Well, you asked.

[Yuri]

6502inside wrote:

Agumander wrote:

But then how will I browse it from my early 2000's iMac?

TenFourFox supports TLS 1.3 on Power Macs, if the iMac can run at least 10.4. Otherwise, Classilla can be pointed at a Crypto Ancienne installation to do the crypto for it.

Well, you asked.

Or set up an HTTP proxy on your private network. Pretty much any internet aware machine that is directly facing the internet shouldn't be. Doesn't mater if it's Mac, Windoze, Linux or whatever, put it behind a sound firewall.

[6502inside]

Yes, Crypto Ancienne can be run as an HTTP-to-HTTPS proxy, or browsers that can be tricked/altered to offloading the cryptography to it can "upgrade" their SSL support through it.

[GARTHWILSON]

I'm using the firefox browser, and one of the bazillion settings options is to allow only https: sites. I keep it off. Maybe your browser is set to not allow http: sites, and maybe you can change that setting.

[barnacle]

I keep the setting on; whenever I come here it offers me the option, after warning about it, to connect to the http site.

Neil