Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 11 submissions in the queue.
Meta
posted by NCommander on Wednesday July 05 2023, @02:23AM   Printer-friendly
from the ssl-negotations-are-complex dept.

So, I know its been a bit quiet here, but we're working through getting through the last few items relating to cutting over to newer infrastructure. As such, its been working through the bug list, and there's one issue I want to get some feedback on.

Back in November when the infrastructure was upgraded to Ubuntu 22.04, a few users with older devices stopped being able to connect to SoylentNews. This confused me, since we've been using the same NGINX SSL termination setup that has been in use since at least 2016. Well, I finally found the root cause, and as it turns out, Canonical bumped up the minimum OpenSSL security level, which disabled several ciphers, and broke devices not supporting TLS 1.2 or later.

By testing the site with the SSL Labs site checker, it appears anything older than Android 4.0, or iOS 5 is broken. This mostly seems to be devices that are over a decade old at this point, and won't be able to browse the vast majority of sites on the Internet as is. We discussed this internally a bit, and I'm of the opinion that its not worth re-enabling the older ciphers to allow these devices to reconnect, especially since we're working to modernize the stack, and get it as up to date as we can get it. I also believe we had very few users who were actually affected by this, however, as the editors did get a few emails about SN breaking after the site upgrade, I wanted to poll the community, and make sure this is not a more widespread issue than initially believed.

Ultimately, this is going to be part of a broader discussion on what we will and won't support on SoylentNews going forward, and this seems as good of place as any to get the ball rolling.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by bzipitidoo on Wednesday July 05 2023, @04:17AM (11 children)

    by bzipitidoo (4388) on Wednesday July 05 2023, @04:17AM (#1314463) Journal

    One of the things about this drive to move everything to https is that not all traffic needs to be secure. Why can't http, without any automatic or manual user login, still be available as a fallback? A bank's website, yeah, max out the security. But a news site? A news site especially shouldn't need to securely transmit news articles that are meant for public viewing. What exactly is being guarded against? Certainly not unauthorized viewing! A man-in-the-middle altering the content of the articles on the fly? Please. Maybe tracking? Encryption doesn't stop tracking.

    I laugh to myself whenever the browser shows the message that I have to enable DRM to view some video. I always say no to that, and silently thank them for blocking a video I most certainly didn't want to autoplay. I guess DRM has a few uses, LOL.

    Starting Score:    1  point
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Interesting) by Anonymous Coward on Wednesday July 05 2023, @04:49AM (8 children)

    by Anonymous Coward on Wednesday July 05 2023, @04:49AM (#1314467)

    The drive to SSL is driven by google who didn't like the fact certain American ISPs replaced in-page google ads with their own ads. Encrypting everything makes that infeasible for the ISPs and google happy.

    • (Score: 4, Interesting) by RS3 on Wednesday July 05 2023, @06:43AM (4 children)

      by RS3 (6367) on Wednesday July 05 2023, @06:43AM (#1314478)

      I don't know why your comment was marked "disagree", but after thinking about it I remember those "interstitial" ads! My ISP at the time didn't do that, but many did and I wondered if that behavior amounted to illegal wiretapping.

      • (Score: -1, Offtopic) by Anonymous Coward on Wednesday July 05 2023, @07:04AM

        by Anonymous Coward on Wednesday July 05 2023, @07:04AM (#1314482)

        Obviously an aristarchus comment. Or, maybe not.

      • (Score: 0) by Anonymous Coward on Wednesday July 05 2023, @10:38PM (2 children)

        by Anonymous Coward on Wednesday July 05 2023, @10:38PM (#1314645)

        It isn't illegal wiretapping. You often give them permission in the TOS or other agreement to do that, and there are exceptions in the law for indiscriminate monitoring and certain other activities, including those necessary to prevent abuse or ensure the proper functioning of the ISP itself.

        • (Score: 2) by RS3 on Thursday July 06 2023, @04:36PM (1 child)

          by RS3 (6367) on Thursday July 06 2023, @04:36PM (#1314767)

          If I give someone permission to shoot me, will they get away with it?

          A contract, including a one-sided TOS, can not usurp laws.

          • (Score: 0) by Anonymous Coward on Friday July 07 2023, @02:59AM

            by Anonymous Coward on Friday July 07 2023, @02:59AM (#1314848)

            I stated that the laws have numerous exemptions. Giving them permission to do it is one of them. It is just like consensual homicide, where you can give someone permission to kill you and they "get away" with no consequences precisely because the law recognizes it.

    • (Score: 4, Interesting) by Anonymous Coward on Wednesday July 05 2023, @07:56AM (1 child)

      by Anonymous Coward on Wednesday July 05 2023, @07:56AM (#1314492)

      I think the drive for TLS is because the ISP is an active threat for many around the world. Beyond changing ads on the page, they can change whatever else they want, snoop on whatever they want, sell your browsing habits, give it straight to police/intelligence agencies, MITM you at will, and do all sorts of other bad things. ISPs changing ads was just the obvious maneuver that revealed the true power of those between your client and your intended server that broke the camel's back.

      • (Score: 0) by Anonymous Coward on Wednesday July 05 2023, @08:09AM

        by Anonymous Coward on Wednesday July 05 2023, @08:09AM (#1314495)

        I don't disagree with you, but it doesn't change the fact this was initially championed by google and google does not have anyone's well being in mind. It also gave them a handy excuse to deprioritize many informative legacy web sites (that did not bundle google ads) because they were plain HTML and served over plain HTTP.

    • (Score: 0) by Anonymous Coward on Wednesday July 05 2023, @08:44AM

      by Anonymous Coward on Wednesday July 05 2023, @08:44AM (#1314500)

      Plenty of people wanted the move to https not just Google. MITM was/is an actual risk - people were getting pwned from MITM attacks.

      But Google was big enough to start the snowball rolling. Before Google started doing it, the rest couldn't get much traction/adoption.

      That said even https by itself is/was not enough to protect vs MITM attacks: https://www.schneier.com/blog/archives/2010/09/uae_man-in-the.html [schneier.com]
      https://www.eff.org/deeplinks/2010/08/open-letter-verizon [eff.org]

      So what you have to do is use Firefox or similar and disable untrusted CAs. You can't use Microsoft's stuff because Microsoft will auto-add CAs and certs that it trusts. You can't use Chrome on Windows because Chrome uses Microsoft's CA stuff on Windows.

  • (Score: 3, Insightful) by requerdanos on Wednesday July 05 2023, @03:40PM (1 child)

    by requerdanos (5997) on Wednesday July 05 2023, @03:40PM (#1314563) Journal

    not all traffic needs to be secure. Why can't http, without any automatic or manual user login, still be available as a fallback?

    I came here to say this. It's possible to configure https without an auto-redirect (difficulty unknown to me) so that the user may choose between http and https, rendering the matter of what ciphers are available moot as far as the issue concerns mere access to the site. http covers *everyone* regardless of how old their device/operating system. That's what I would recommend, I guess. Plain http not for you? Use https.

    • (Score: 2) by RS3 on Thursday July 06 2023, @04:42PM

      by RS3 (6367) on Thursday July 06 2023, @04:42PM (#1314769)

      I'm not sure if this is in line with your post, but the webserver has to be configured for http and/or https. IE, it may only serve one or the other. It can serve both. But it's all in the configuration of the server- client has no say in what protocols are enabled.