HTTPS on NationStates

[Shadow Afforess]

FYI: http://filippo.io/Heartbleed/#nationstates.net

http://heartbleed.com/

Oh wow, I patched the server and restarted as soon as the news came out, but there is a problem with mod-spdy that prevented it from working... even with mod-spdy disabled! Now fixed.

Seeing as issue #85 is now marked as fixed, can spdy make a comeback?

[[violet]]

Maybe. I'm not thrilled about installing a mod that doesn't receive timely security updates.

[Shadow Afforess]

Maybe. I'm not thrilled about installing a mod that doesn't receive timely security updates.

OpenSSL is the real problem.

http://arstechnica.com/information-tech ... essl-fork/

I am hoping the OpenBSD folks can produce a testable LibreSSL that can replace OpenSSL in the next year or two.

[[violet]]

Well, not really, because no software is ever going to be bug-free. We just expect that when serious problems are found, the patches come out quickly. In the case of OpenSSL, the patch came out within hours. But we were left vulnerable for another two days because there was no update for mod-spdy.

[Shadow Afforess]

Well, not really, because no software is ever going to be bug-free. We just expect that when serious problems are found, the patches come out quickly. In the case of OpenSSL, the patch came out within hours. But we were left vulnerable for another two days because there was no update for mod-spdy.

Yes you are right, but I think you are just examining the surface of the issue. I agree mod-spdy statically linking to openssl and not issuing a quick update is *bad*. But why did mod-spdy decide to run things that way? OpenSSL was assumed to be reasonably secure and a very slow updating library (updates are usually years apart). This assumption by the mod-spdy team was obviously flawed, which led downstream to your problem.

It is possible to produce bug-free software, it's just very hard. For example, if I release software that adds two numbers together, I can mathematically verify that it works for the entire integer range. Obviously it's not a wise use of time to create such an exhaustive test suite for most user-software (your bank details are not at risk of NS decides 1+1 = 3), however OpenSSL is a place where this sort of rigor should exist. I hope that LibreSSL will solve this problem. In that case, mod-spdy's assumption will not be invalid, and your problem would not have occured...

Okay that is a bit of a tangent. A bigger question is why do you use apache as a webserver? It's fairly well-known nginx provides superior performance under nearly all use-cases. Nginx supports spdy natively, and so my update process for NS++ was just an "apt-get update && apt-get dist-upgrade nginx". Are there other apache plugins that you use that have no equivalent nginx port? That would be the only logical reason I could see.

PS. You should turn off server tokens and PHP's "powered by" http headers. I see

Code: Select all

Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11


On every forum request. There is simply no good reason to tell people what server is sending out stuff. At best you are wasting 68 bytes on every request, at worst you are telling script kiddies what version to look for security exploits for. The PHP header can be turned off in the maze that is the php.ini. I don't know where to turn off the apache header, but I assume it has a setting too.

[[violet]]

This assumption by the mod-spdy team was obviously flawed, which led downstream to your problem.

I'm just not sure there is a mod-spdy team. If there was, they would have immediately pushed out an update. I wonder if it's one of those Google projects where people float in and out when they have free time.

Apache: We depend on a couple of specific modules. There might be equivalents for ngix, but there's never been enough reason to go exploring that when what we have works fine and has been tested over many years.

Server tokens: I keep turning those off and they keep turning themselves back on! Silly defaults.

There's a lot of value for me in simplicity and stability. I have limited time; the less I need to spend on system administration, the more I can spend on NationStates. Newer projects such as ngix and mod-spdy do offer benefits, but tend to be more fragile, contain more corner case issues, and require more admin time to keep working.

[Shadow Afforess]

This assumption by the mod-spdy team was obviously flawed, which led downstream to your problem.

I'm just not sure there is a mod-spdy team. If there was, they would have immediately pushed out an update. I wonder if it's one of those Google projects where people float in and out when they have free time.

This is a fair concern. I don't know enough about the project to dispute this.

Apache: We depend on a couple of specific modules. There might be equivalents for ngix, but there's never been enough reason to go exploring that when what we have works fine and has been tested over many years.

I can definitely appreciate stability and don't-fix-what-isn't-broken-isms. I used nginx from the start after reading about both. I also have no idea how much expenses are nor how close to full utilization on the servers you use. I tend to try to get every bang for my buck, but if that is not a priority for you, your decision about not changing sounds correct.

Server tokens: I keep turning those off and they keep turning themselves back on! Silly defaults.

I don't understand why server tokens even exist at all. There is literally no reason you would want them. They shouldn't even be an option to turn off, server tokens should not exist at all.

There's a lot of value for me in simplicity and stability. I have limited time; the less I need to spend on system administration, the more I can spend on NationStates. Newer projects such as ngix and mod-spdy do offer benefits, but tend to be more fragile, contain more corner case issues, and require more admin time to keep working.

I eagerly await the day HTTP 2.0 is formalized and the need for SPDY goes away. I honestly don't spend much time on sysadmin anymore either, I set up automation to do everything I might need.

[Shadow Afforess]

Suggestion:

Right now in telegrams and on the RMB, NationStates auto-linkifies any url pointing to the forums or gameside NationStates site. These urls are protocol (http or https) specific. Instead, you should make them protocol independent (//www.nationstates.net vs http://www.nationstates.net) which allows users to not be redirected to the wrong protocol version of the site. Right now if I post a https link on a RMB, anyone who clicks think they are being logged out, because they have never used the https site. Very unfriendly behavior.

[Shadow Afforess]

This may because my ip for NS is currently hardcoded in my hosts file, but I can not connect via HTTPS anymore. I get a SSL connection error in chrome that blocks the connection completely.

[The Republic of Lanos]

This may because my ip for NS is currently hardcoded in my hosts file, but I can not connect via HTTPS anymore. I get a SSL connection error in chrome that blocks the connection completely.

This is probably a result of the DOS attack that happened earlier. the HTTPS side of things probably needs to recover.

[Shadow Afforess]

This may because my ip for NS is currently hardcoded in my hosts file, but I can not connect via HTTPS anymore. I get a SSL connection error in chrome that blocks the connection completely.

This is probably a result of the DOS attack that happened earlier. the HTTPS side of things probably needs to recover.

Yes and No. You're right on the cause, wrong on the solution. It is something violet presumably needs to correct.

[[violet]]

It's because I added an extra IP address for 'nationstates.net', but HTTPS wasn't configured on that address. I've just added it, but I'm not sure it can stay, because that IP is used for other sites.

[Sseroffa]

Bug Report: The create nation feature of NS, when completed on the HTTPS site, redirects the browser to the HTTP site. Chrome does not tolerate an HTTPS site redirecting to HTTP of itself (I assume they think this is a MITM attack), and cancels the request!

[[violet]]

^ Fixed, thanks for the report.

[Namayapata]

Sorry, not sure if this has been asked before but why not just redirect ALL NS users to HTTPS?

[Indian Empire]

Yes, it has.

OOC: I remember you... from somewhere.

[The Republic of Lanos]

Sorry, not sure if this has been asked before but why not just redirect ALL NS users to HTTPS?

I believe, IIRC, HTTPS on NS is a trial and can be taken down at any time.

[[violet]]

Sorry, not sure if this has been asked before but why not just redirect ALL NS users to HTTPS?

Basically because I'm not confident enough yet that it won't break a bunch of stuff. Like not being able to create nations!

[Indian Empire]

Sorry, not sure if this has been asked before but why not just redirect ALL NS users to HTTPS?

Basically because I'm not confident enough yet that it won't break a bunch of stuff. Like not being able to create nations!

You could let a specific amount of users test it to make sure their are not any bugs before released to the general public. I am willing to be a test monkey.

[[violet]]

You could let a specific amount of users test it to make sure their are not any bugs before released to the general public. I am willing to be a test monkey.

That's what we're doing. Go ahead! https://www.nationstates.net/

[Namayapata]

You could let a specific amount of users test it to make sure their are not any bugs before released to the general public. I am willing to be a test monkey.

That's what we're doing. Go ahead! https://www.nationstates.net/

I think he means testing HTTPS for all of NationStates (as in testing a redirect system).
In other news, why not get CloudFlare? Then you get free SSL and a load of other great stuffs!

In other other news, [violet] actually quoted me!

[[violet]]

In other news, why not get CloudFlare? Then you get free SSL and a load of other great stuffs!

Because it's more complicated, less flexible, and most of all has vendor lock-in. CloudFlare is definitely interesting, and we may sign up yet. But NS has been around for 12 years: in that time, many similar services have come and gone, taking smaller sites with them, which don't have the admin resources to migrate away.

So we will always be a laggard in regard to this kind of thing.

[Indian Empire]

the HTTPS site says it cant be displayed for me. Did you notice it [violet]?

Edit: Fixed, didn't have TLS 1 on.

[Ballotonia]

the HTTPS site says it cant be displayed for me. Did you notice it [violet]?

Edit: Fixed, didn't have TLS 1 on.

TLSv1 is a requirement for https ever since we disabled SSLv3 (SSLv2 having been disabled before), which was done after a rather fundamental bug was found in the use of SSLv3. Fortunately all modern browsers support TLSv1, lest someone disables it

Ballotonia

[Indian Empire]

the HTTPS site says it cant be displayed for me. Did you notice it [violet]?

Edit: Fixed, didn't have TLS 1 on.

TLSv1 is a requirement for https ever since we disabled SSLv3 (SSLv2 having been disabled before), which was done after a rather fundamental bug was found in the use of SSLv3. Fortunately all modern browsers support TLSv1, lest someone disables it

Ballotonia

Thanks Ballotonia