SoylentNews is people
SoylentNews
Earlier tonight, I modified our varnish rules to redirect all traffic to https://soylentnews.org if they came in as plain HTTP. Unfortunately, due to dropping SSLv3 support to prevent POODLE attacks, IE6 clients will no longer be able to reach SoylentNews. If this seriously inconveniences a large number of users, we may go through the trouble of whitelisting IE6 to drop down to HTTP only.
In addition, I applied an experimental update to production to try and clear as many errors as possible from the Apache error logs, in an attempt to continue isolating any remaining bugs and slowdowns. I also ripped out more dead code related to FireHose, Achievements, and Tags. As such, site performance appears to roughly be back to where it should be, and I have yet to see any 500 errors post-upgrade (though I concede that said update has only been up for about 2 hours at this point).
Tor traffic is set to bypass HTTPS due to the fact there is no way to prevent a self-signed certificate warning, and by design, tor both encrypts and authenticates hosts when connecting to them. A few lingering issues with the tor proxy were fixed with most recent code push, and the onion site should be back to functioning normally
P.S. I'm aware that the site is generating warnings due to the fact we use a SHA-1 based certificate. We will be changing out the certificate as soon as reasonably possible.
(Score: 0) by Anonymous Coward on Sunday June 07 2015, @03:01AM
Tor traffic is set to bypass HTTPS due to the fact there is no way to prevent a self-signed certificate warning, and by design, tor both encrypts and authenticates hosts when connecting to them. A few lingering issues with the tor proxy
But Tor doesn't help with last-mile attacks between that tor proxy and the server. Personally, I'd be fine with a self-signed cert warning because you only need see it on your first visit, then you can tell your browser to remember it permanently. You can publish the fingerprint of the cert on the non-tor website so anyone can verify it that way if needed.
(Score: 3, Informative) by NCommander on Sunday June 07 2015, @03:07AM
The connection is terminated within our network if you're using our onion site, which is no different that non-tor SSL (we terminate SSL on the load balancer). We've documented and stated before. We've tried before to terminate on the web frontends, but have had odd side effects with that setup.
Still always moving
(Score: 2) by compro01 on Sunday June 07 2015, @03:38AM
It does when it's a hidden service, like SoylentNews is (http://7rmath4ro2of2a42.onion). There isn't an exit node, so there is no possibility of a last-mile attack, as the last layer of the encryption isn't unwrapped until it's within Soylent's network, unlike how it works connecting to a site on the open web via Tor.
(Score: 4, Informative) by NCommander on Sunday June 07 2015, @03:54AM
OP got it in one. When you connect to soylentnews.org directly with Tor Browser, you'll get our standard SSL certificate (this incidentally should work now over tor, though much slower than if going via the onion site) . If you come out via our onion site, you pop out on boron, which is one of our misc boxes, and the connection travels the last mile unencrypted within Linode Dallas data center. While I'd love to do something about that last mile problem, at the moment, its not practical to fix as we don't have complete control of our infrastructure due to being on VPSes :(.
Still always moving