Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
Meta
posted by NCommander on Wednesday July 05 2023, @02:23AM   Printer-friendly
from the ssl-negotations-are-complex dept.

So, I know its been a bit quiet here, but we're working through getting through the last few items relating to cutting over to newer infrastructure. As such, its been working through the bug list, and there's one issue I want to get some feedback on.

Back in November when the infrastructure was upgraded to Ubuntu 22.04, a few users with older devices stopped being able to connect to SoylentNews. This confused me, since we've been using the same NGINX SSL termination setup that has been in use since at least 2016. Well, I finally found the root cause, and as it turns out, Canonical bumped up the minimum OpenSSL security level, which disabled several ciphers, and broke devices not supporting TLS 1.2 or later.

By testing the site with the SSL Labs site checker, it appears anything older than Android 4.0, or iOS 5 is broken. This mostly seems to be devices that are over a decade old at this point, and won't be able to browse the vast majority of sites on the Internet as is. We discussed this internally a bit, and I'm of the opinion that its not worth re-enabling the older ciphers to allow these devices to reconnect, especially since we're working to modernize the stack, and get it as up to date as we can get it. I also believe we had very few users who were actually affected by this, however, as the editors did get a few emails about SN breaking after the site upgrade, I wanted to poll the community, and make sure this is not a more widespread issue than initially believed.

Ultimately, this is going to be part of a broader discussion on what we will and won't support on SoylentNews going forward, and this seems as good of place as any to get the ball rolling.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Common Joe on Wednesday July 05 2023, @03:00AM (6 children)

    by Common Joe (33) <reversethis-{moc ... 1010.eoj.nommoc}> on Wednesday July 05 2023, @03:00AM (#1314450) Journal

    I don't know about "better off not using SSL at all", but generally I'm with you on your statement. The modern web requires a modern client.

    The "old fashioned" stuff I like (and I think what a majority like) isn't so much "old fashioned" as it is "simplicity". We're looking for a simple web experience -- unencumbered and not entshittified.

    I think the people with the old technologies are trying to avoid websites that are overly engineered, but there comes a point when the programmer can't keep bending over backwards because then it becomes encumbering and entshittified for the the programmer. There's a give and take here with a happy middle. I think working towards the middle and keeping things very simple should be the goal.

    That's my two cents, at least.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by RS3 on Wednesday July 05 2023, @06:38AM (5 children)

    by RS3 (6367) on Wednesday July 05 2023, @06:38AM (#1314477)

    Totally agree. I wish browsers (and all software) were more modular, like it would be great if browser SSL and TLS were done in a plugin, library, something replaceable rather than compiled into a great blob executable. I still like and use Old Opera much of the time, but it only goes up to TLS 1.2, so there are quite a few websites it won't connect with.

    (Personal frustration: why does everyone demand https? If it's some kind of business, banking, email, login, etc., sure, but I'm just reading news or general information- it doesn't need to be encrypted, does it?)

    • (Score: 4, Informative) by mth on Wednesday July 05 2023, @11:18AM (4 children)

      by mth (2848) on Wednesday July 05 2023, @11:18AM (#1314512) Homepage

      (Personal frustration: why does everyone demand https? If it's some kind of business, banking, email, login, etc., sure, but I'm just reading news or general information- it doesn't need to be encrypted, does it?)

      Even if the information is public, using HTTPS is still useful because it prevents the content from being tampered with. With plain HTTP for example a greedy ISP could insert ads into sites or a malicious WiFi access point could insert misinformation or exploits into the requested data.

      • (Score: 1) by Runaway1956 on Wednesday July 05 2023, @01:43PM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Wednesday July 05 2023, @01:43PM (#1314537) Journal

        Additionally, if an attacker can intercept and decipher some of your traffic, said attacker can gain insights and data that might enable him to capture the rest of your data. Every nougat of intel on the target makes the target easier to defeat.

        --
        We've finally beat Medicare! - Houseplant in Chief
        • (Score: 2) by RS3 on Wednesday July 05 2023, @02:21PM

          by RS3 (6367) on Wednesday July 05 2023, @02:21PM (#1314545)

          Well, with http, no "s", no deciphering needed- we're handing it to them. Again, seems like wiretapping to me.

      • (Score: 2) by RS3 on Wednesday July 05 2023, @02:19PM

        by RS3 (6367) on Wednesday July 05 2023, @02:19PM (#1314543)

        Yes, thanks. After I posted above I saw AC's comment about ISP (mostly ad) injection, and then I remember that had become a big problem many years ago. As I commented below, that injection seems like illegal wiretapping.

      • (Score: 3, Informative) by SomeGuy on Wednesday July 05 2023, @06:19PM

        by SomeGuy (5632) on Wednesday July 05 2023, @06:19PM (#1314593)

        As someone who browsers with older browsers, I sometimes come across sites that attempt to load because they support older encryption. But then they crap out as they try to load thousands of advertising links. It the ADVERTISERS who want high levels of encryption.

        A long time ago, there actually used to be ad blockers that would interceppt and alter HTTP traffic before it got to a browser. There are still malicious networks that try to insert advertising in to HTTP traffic (and they should be considered nothing less than that - absolutely malicious. Never something that should be put up with).

        You know damn well if broken encryption was to become common enough, some even more corrupt than usual ISP would start inserting their own advertisements in place of existing ones.