SoylentNews is people
SoylentNews
So, I know its been a bit quiet here, but we're working through getting through the last few items relating to cutting over to newer infrastructure. As such, its been working through the bug list, and there's one issue I want to get some feedback on.
Back in November when the infrastructure was upgraded to Ubuntu 22.04, a few users with older devices stopped being able to connect to SoylentNews. This confused me, since we've been using the same NGINX SSL termination setup that has been in use since at least 2016. Well, I finally found the root cause, and as it turns out, Canonical bumped up the minimum OpenSSL security level, which disabled several ciphers, and broke devices not supporting TLS 1.2 or later.
By testing the site with the SSL Labs site checker, it appears anything older than Android 4.0, or iOS 5 is broken. This mostly seems to be devices that are over a decade old at this point, and won't be able to browse the vast majority of sites on the Internet as is. We discussed this internally a bit, and I'm of the opinion that its not worth re-enabling the older ciphers to allow these devices to reconnect, especially since we're working to modernize the stack, and get it as up to date as we can get it. I also believe we had very few users who were actually affected by this, however, as the editors did get a few emails about SN breaking after the site upgrade, I wanted to poll the community, and make sure this is not a more widespread issue than initially believed.
Ultimately, this is going to be part of a broader discussion on what we will and won't support on SoylentNews going forward, and this seems as good of place as any to get the ball rolling.
~ NCommander
(Score: 5, Interesting) by pkrasimirov on Wednesday July 05 2023, @01:15PM (1 child)
Sorry but these security arguments make no sense. Today's computer security is arms race, it is always only temporary and relative to who is the opposite side. If you expect secured content (as in no tampered web pages) from your ISP, then any cypher will do, no matter how old and broken. If you want no tracking from your ISP or big tech (Google, Apple etc.), HTTP(S) won't help. If you want no tracking from soylentnews.org, HTTP(S) won't help if soylentnews.org decides to track you.
If you want old crypto because you use an old device, that is valid argument. However you have to keep up-to-date the root certificates on your device and very much assume it is automatically hackable the instant it goes on the Internet, simply because of the many age-old found zero-day vulnerabilities. So while you still can use soylentnews.org, the expectations of security should be zero. Which in turn means you can very well use plain-text HTTP, it will even have the added benefit of better performance because no encryption/decryption will take place and plain-text content is usually cached while HTTPS is not by default (on old devices). It will also make content separation easier, as in no payments over plain HTTP, no login, no accounts creation.
Having said that, we should keep in mind we're talking an extremely limited number of users here compared to everyone else with normal (read: newer than 10 years) computer. It's okay to still serve them the content, if soylentnews.org desires so, however I'd recommend setting a specific sub-domain for the purpose, like http://insecure.soylentnews.org [soylentnews.org] or something while http://soylentnews.org [soylentnews.org] still redirects to https://soylentnews.org [soylentnews.org] as any normal website should do.
Additionally I recommend throwing out anything below TLS 1.3 and also reviewing what ciphers are actually allowed. Of course only if the effort is worth, after all other much more severe problems were made known of this site codebase, and maybe they should take priority.
(Score: 2) by sjames on Thursday July 06 2023, @12:49AM
It's worth asking secure against what? The only thing remotely private about posting to SN is your password which is only very occasionally transmitted.
Honestly, there's not that much value in getting someone's SN password as long as it hasn't been re-used elsewhere. It's probably not worth exposing that you have managed to get a foothold on someone's machine. It's certainly not worth a targeted effort.
That just leaves keeping crappy ISPs from injecting extra ads. But there, even crappy encryption is good enough. It serves the same legal purpose as a crappy padlock on a fence that can be jumped over, the ISP can't claim they didn't know their intrusion was unwelcome. If you really want to get revenge on such a crappy ISP, add a custom HJTTP header with a witty saying and then slap them with a DMCA violation.