[ANN] https at www.lua.org

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[ANN] https at www.lua.org

Luiz Henrique de Figueiredo
We are pleased to announce that lua.org now accepts https connections,
thanks to the wonderfully helpful people at Pepperfish: Daniel Silverstone
and Rob Kendrick.

Please give it at try. You may need to accept the certificate once.
        https://www.lua.org

All feedback welcome. Thanks.
--lhf

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Jonathan Goble
On Tue, Mar 15, 2016 at 3:31 PM, Luiz Henrique de Figueiredo
<[hidden email]> wrote:
> We are pleased to announce that lua.org now accepts https connections,
> thanks to the wonderfully helpful people at Pepperfish: Daniel Silverstone
> and Rob Kendrick.
>
> Please give it at try. You may need to accept the certificate once.
>         https://www.lua.org
>
> All feedback welcome. Thanks.

Awesome! Everything is working on my end, with no need to manually
accept a certificate. I've changed all of my bookmarks over to use
HTTPS.

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Paul E. Merrell, J.D.
On Tue, Mar 15, 2016 at 12:36 PM, Jonathan Goble <[hidden email]> wrote:

> Awesome! Everything is working on my end, with no need to manually
> accept a certificate. I've changed all of my bookmarks over to use
> HTTPS.

Kudos on the change. But you don't need to change bookmarks if you use
the HTTPS Everywhere browser extension by the Electronic Frontier
Foundation and the TOR Foundation.
<https://www.eff.org/Https-everywhere>. Available for Chrome, Opera,
Firefox, and Firefox for Android.

Given an HTTP URL, the extension queries each site to see if an HTTPS
connection is available instead, and if available cancels the HTTP
request and issues an HTTPS request instead. In my experience, the
extra delay is negligible.

HTTPS Everywhere is a companion project to Let's Encrypt, a free
certificate authority that aims to make conversion to SSL a one click
experience for web masters. <https://letsencrypt.org/about/>.

Best regards,

Paul

--
[Notice not included in the above original message:  The U.S. National
Security Agency neither confirms nor denies that it intercepted this
message.]

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Luca-2
In reply to this post by Luiz Henrique de Figueiredo


mmm... and what about HTTP2 ?


Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Soni "They/Them" L.
In reply to this post by Luiz Henrique de Figueiredo


On 15/03/16 04:31 PM, Luiz Henrique de Figueiredo wrote:

> We are pleased to announce that lua.org now accepts https connections,
> thanks to the wonderfully helpful people at Pepperfish: Daniel Silverstone
> and Rob Kendrick.
>
> Please give it at try. You may need to accept the certificate once.
> https://www.lua.org
>
> All feedback welcome. Thanks.
> --lhf
>
What about HSTS?

--
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.


Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Jonathan Goble
In reply to this post by Paul E. Merrell, J.D.
On Tue, Mar 15, 2016 at 4:05 PM, Paul Merrell <[hidden email]> wrote:

> On Tue, Mar 15, 2016 at 12:36 PM, Jonathan Goble <[hidden email]> wrote:
>
>> Awesome! Everything is working on my end, with no need to manually
>> accept a certificate. I've changed all of my bookmarks over to use
>> HTTPS.
>
> Kudos on the change. But you don't need to change bookmarks if you use
> the HTTPS Everywhere browser extension by the Electronic Frontier
> Foundation and the TOR Foundation.
> <https://www.eff.org/Https-everywhere>. Available for Chrome, Opera,
> Firefox, and Firefox for Android.
>
> Given an HTTP URL, the extension queries each site to see if an HTTPS
> connection is available instead, and if available cancels the HTTP
> request and issues an HTTPS request instead. In my experience, the
> extra delay is negligible.
>
> HTTPS Everywhere is a companion project to Let's Encrypt, a free
> certificate authority that aims to make conversion to SSL a one click
> experience for web masters. <https://letsencrypt.org/about/>.
>
> Best regards,
>
> Paul

Yeah, I'm aware of that. But I'm old-fashioned and prefer doing things
manually [1] rather than relying on browser extensions. :-P

More specifically, I prefer to have as few extensions as possible
installed in my browser; if I can do it without installing a new
extension, then I prefer to not install it.

[1] Even as a so-called millennial [2], I love this song:
https://www.youtube.com/watch?v=2ksWKOy665o

[2] I hate that term.

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Coda Highland
On Tue, Mar 15, 2016 at 4:14 PM, Jonathan Goble <[hidden email]> wrote:

> On Tue, Mar 15, 2016 at 4:05 PM, Paul Merrell <[hidden email]> wrote:
>> On Tue, Mar 15, 2016 at 12:36 PM, Jonathan Goble <[hidden email]> wrote:
>>
>>> Awesome! Everything is working on my end, with no need to manually
>>> accept a certificate. I've changed all of my bookmarks over to use
>>> HTTPS.
>>
>> Kudos on the change. But you don't need to change bookmarks if you use
>> the HTTPS Everywhere browser extension by the Electronic Frontier
>> Foundation and the TOR Foundation.
>> <https://www.eff.org/Https-everywhere>. Available for Chrome, Opera,
>> Firefox, and Firefox for Android.
>>
>> Given an HTTP URL, the extension queries each site to see if an HTTPS
>> connection is available instead, and if available cancels the HTTP
>> request and issues an HTTPS request instead. In my experience, the
>> extra delay is negligible.
>>
>> HTTPS Everywhere is a companion project to Let's Encrypt, a free
>> certificate authority that aims to make conversion to SSL a one click
>> experience for web masters. <https://letsencrypt.org/about/>.
>>
>> Best regards,
>>
>> Paul
>
> Yeah, I'm aware of that. But I'm old-fashioned and prefer doing things
> manually [1] rather than relying on browser extensions. :-P
>
> More specifically, I prefer to have as few extensions as possible
> installed in my browser; if I can do it without installing a new
> extension, then I prefer to not install it.
>
> [1] Even as a so-called millennial [2], I love this song:
> https://www.youtube.com/watch?v=2ksWKOy665o
>
> [2] I hate that term.
>

If the http version 301's to the https version, then bookmarks will be
fine, and Chrome (IIRC) tries to do https before http when inputting a
schemeless URL. (Assuming it hasn't cached which version is active.)

I mean, if the http version were blackholing, that would be another matter.

/s/ Adam

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Jonathan Goble
On Tue, Mar 15, 2016 at 7:19 PM, Coda Highland <[hidden email]> wrote:
> If the http version 301's to the https version, then bookmarks will be
> fine,

I'd still manually change the bookmarks, because I hate having known
redirects bookmarked.

> and Chrome (IIRC) tries to do https before http when inputting a
> schemeless URL. (Assuming it hasn't cached which version is active.)

I use Firefox, which still defaults to HTTP when a schemeless URL is input.

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Soni "They/Them" L.
In reply to this post by Soni "They/Them" L.


On 15/03/16 06:01 PM, Soni L. wrote:

>
>
> On 15/03/16 04:31 PM, Luiz Henrique de Figueiredo wrote:
>> We are pleased to announce that lua.org now accepts https connections,
>> thanks to the wonderfully helpful people at Pepperfish: Daniel
>> Silverstone
>> and Rob Kendrick.
>>
>> Please give it at try. You may need to accept the certificate once.
>>     https://www.lua.org
>>
>> All feedback welcome. Thanks.
>> --lhf
>>
> What about HSTS?
>
HSTS would mean browsers would redirect to https and keep using https
for a chosen time. See https://tools.ietf.org/html/rfc6797.

It helps keep users safe.

--
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.


Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Daniel Silverstone
In reply to this post by Soni "They/Them" L.
On Tue, Mar 15, 2016 at 18:01:06 -0300, Soni L. wrote:
> What about HSTS?

We have chosen not to enable HSTS until after a bedding-in period in case there
are Lua-L people who have issues with the certificates, etc.  Once we're
satisfied that nothing bad is going on, we'll enable HSTS.

D.

--
Daniel Silverstone                         http://www.digital-scurf.org/
PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Nagaev Boris
In reply to this post by Luiz Henrique de Figueiredo
On Tue, Mar 15, 2016 at 10:31 PM, Luiz Henrique de Figueiredo
<[hidden email]> wrote:

> We are pleased to announce that lua.org now accepts https connections,
> thanks to the wonderfully helpful people at Pepperfish: Daniel Silverstone
> and Rob Kendrick.
>
> Please give it at try. You may need to accept the certificate once.
>         https://www.lua.org
>
> All feedback welcome. Thanks.
> --lhf
>

Thank you for HTTPS and special thanks for IPv6!

However the HTTPS connection of the site is not ideal. Please visit
ssllabs page [1] and fix known errors:

  * weak Diffie-Hellman (DH) key exchange parameters
  * RC4 cipher is accepted

[1] https://www.ssllabs.com/ssltest/analyze.html?d=www.lua.org


--


Best regards,
Boris Nagaev

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Daniel Silverstone
On Wed, Mar 16, 2016 at 23:32:32 +0300, Nagaev Boris wrote:
>   * weak Diffie-Hellman (DH) key exchange parameters

This is a side effect of something I hope to fix soon.

>   * RC4 cipher is accepted

This is a side effect of the fact that it's hosted on a system which also hosts
a site which needs to be accessed by shonky old systems.  Again we hope to be
able to disable that soon.

We're very aware of ssllabs and we do use it.  Some of the things it reports we
mitigate in other ways, but we always appreciate people helping to keep us
honest :-)

Thanks,

Daniel.

--
Daniel Silverstone                         http://www.digital-scurf.org/
PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Ahmed Charles
https://lua.org doesn't redirect to the www site and shows a cert error.

> On Mar 16, 2016, at 2:32 PM, Daniel Silverstone <[hidden email]> wrote:
>
>> On Wed, Mar 16, 2016 at 23:32:32 +0300, Nagaev Boris wrote:
>>  * weak Diffie-Hellman (DH) key exchange parameters
>
> This is a side effect of something I hope to fix soon.
>
>>  * RC4 cipher is accepted
>
> This is a side effect of the fact that it's hosted on a system which also hosts
> a site which needs to be accessed by shonky old systems.  Again we hope to be
> able to disable that soon.
>
> We're very aware of ssllabs and we do use it.  Some of the things it reports we
> mitigate in other ways, but we always appreciate people helping to keep us
> honest :-)
>
> Thanks,
>
> Daniel.
>
> --
> Daniel Silverstone                         http://www.digital-scurf.org/
> PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69
>

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Egor Skriptunoff-2
On Thu, Mar 17, 2016 at 5:55 AM, Ahmed Charles <[hidden email]> wrote:
https://lua.org doesn't redirect to the www site and shows a cert error.

Indeed. Firefox says the following:
lua.org uses an invalid security certificate. The certificate is only valid for the following names: pepperfish.net, *.pepperfish.net, www.pepperfish.net Error code: SSL_ERROR_BAD_CERT_DOMAIN
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Daniel Silverstone
In reply to this post by Ahmed Charles
On Thu, Mar 17, 2016 at 02:55:21 +0000, Ahmed Charles wrote:
> https://lua.org doesn't redirect to the www site and shows a cert error.

It's not meant to.

Sigh.

I *LOATHE* it when people expect bare domains to be exactly the same thing as
webservers.  I will see about inserting a shim for dealing with this kind
of lazy typing at some point soon.

Bleh.

If I had my way, lua.org wouldn't have an 'A' record at all, but sadly it's
useful for other things.

D.

--
Daniel Silverstone                         http://www.digital-scurf.org/
PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Nagaev Boris
On Thu, Mar 17, 2016 at 12:57 PM, Daniel Silverstone
<[hidden email]> wrote:

> On Thu, Mar 17, 2016 at 02:55:21 +0000, Ahmed Charles wrote:
>> https://lua.org doesn't redirect to the www site and shows a cert error.
>
> It's not meant to.
>
> Sigh.
>
> I *LOATHE* it when people expect bare domains to be exactly the same thing as
> webservers.  I will see about inserting a shim for dealing with this kind
> of lazy typing at some point soon.

Why to type this annoying "www."?
webserver can be distinguished from other services provided by a
domain by port used. 80 and 443 are for web. No need of special domain
for this.


> Bleh.
>
> If I had my way, lua.org wouldn't have an 'A' record at all, but sadly it's
> useful for other things.
>
> D.
>
> --
> Daniel Silverstone                         http://www.digital-scurf.org/
> PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69
>



--


Best regards,
Boris Nagaev

Reply | Threaded
Open this post in threaded view
|

RE: [ANN] https at www.lua.org

Richter, Jörg
> Why to type this annoying "www."?
> webserver can be distinguished from other services provided by a
> domain by port used. 80 and 443 are for web. No need of special domain
> for this.

http://no-www.org/
http://www.yes-www.org/
Too bad that there is no longer http://www.www.extra-www.org/

- Jörg

Reply | Threaded
Open this post in threaded view
|

RE: [ANN] https at www.lua.org

Pierre Chapuis
> http://no-www.org/
> http://www.yes-www.org/
> Too bad that there is no longer http://www.www.extra-www.org/

Note that even yes-www says that you should redirect
no-www to www (http://www.yes-www.org/why-use-www/).

--
Pierre Chapuis


Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Daniel Silverstone
In reply to this post by Nagaev Boris
On Thu, Mar 17, 2016 at 18:22:45 +0300, Nagaev Boris wrote:
> > I *LOATHE* it when people expect bare domains to be exactly the same thing as
> > webservers.  I will see about inserting a shim for dealing with this kind
> > of lazy typing at some point soon.
>
> Why to type this annoying "www."?
> webserver can be distinguished from other services provided by a
> domain by port used. 80 and 443 are for web. No need of special domain
> for this.

Because not all domains are hosted on a single system.  Pepperfish comprises
over six computers.  The 'A' record on a domain is more about providing for bad
mail systems which don't properly look up MX records (and yes these are
plentiful).

Still, since you lot are whingy, I've fixed the issue.

D.


--
Daniel Silverstone                         http://www.digital-scurf.org/
PGP mail accepted and encouraged.            Key Id: 3CCE BABE 206C 3B69

Reply | Threaded
Open this post in threaded view
|

Re: [ANN] https at www.lua.org

Sean Conner
It was thus said that the Great Daniel Silverstone once stated:

> On Thu, Mar 17, 2016 at 18:22:45 +0300, Nagaev Boris wrote:
> > > I *LOATHE* it when people expect bare domains to be exactly the same thing as
> > > webservers.  I will see about inserting a shim for dealing with this kind
> > > of lazy typing at some point soon.
> >
> > Why to type this annoying "www."?
> > webserver can be distinguished from other services provided by a
> > domain by port used. 80 and 443 are for web. No need of special domain
> > for this.
>
> Because not all domains are hosted on a single system.  Pepperfish comprises
> over six computers.  The 'A' record on a domain is more about providing for bad
> mail systems which don't properly look up MX records (and yes these are
> plentiful).

  Then those systems have been up and running since 1986 then, when the MX
record (with a fallback to A) was introduced.  They might also be following
RFC-974:

      For each MX, a WKS query should be issued to see if the domain
      name listed actually supports the mail service desired.  MX RRs
      which list domain names which do not support the service should be
      discarded.  This step is optional, but strongly encouraged.

(although RFC-1123 removed this optional step).

  A better theory is that the mail servers that ignore MX are just spammers
who don't really care about the details.  I've also seen the behavior of
spammers using backup MXs first for spamming, on the theory that backup MX
hosts won't do as much processing.

  -spc (Still, you might want to add WKS records 8-P


12