Omnimaga
General Discussion => Technology and Development => Web Programming and Design => Topic started by: alberthrocks on September 29, 2014, 01:16:04 pm
-
https://blog.cloudflare.com/introducing-universal-ssl/
Dubbed Cloudflare Universal SSL, they are now offering free SSL to everyone, including free plans!
This includes if you are running a non-secured (no HTTPS) website, in which they will still give you HTTPS, but warn you that their server to your website will be unencrypted. (Do NOT try to run a e-commerce website if this is the case!)
The catch? For free users, they are deprecating support for older browsers by enforcing newer security standards - ECDSA and SNI.
(ECDSA is a newer and more secure encryption algorithm, and SNI is just a way to emit different SSL certificates from one IP!)
SNI support:
Desktop Browsers- Internet Explorer 7 and later
- Firefox 2
- Opera 8 with TLS 1.1 enabled
- Google Chrome:
Supported on Windows XP on Chrome 6 and later
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later - Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
- Note: No versions of Internet Explorer on Windows XP support SNI
Mobile Browsers- Mobile Safari for iOS 4.0
- Android 3.0 (Honeycomb) and later
- Windows Phone 7
Source: https://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm
Warning: Technical jargon follows!
ECDSA support gets murky, though. According to Cloudflare, it is not available on Windows XP (and below), or anything older than Android 4.0 ICS.
To clarify, they're saying you MUST have Windows Vista (and newer), as well as Android 4.0 ICS (and newer).
...but wait! Does that mean everyone using Windows XP is screwed? Not quite.
According to https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites, SSL support for IE depends on the OS's SSL support. Running IE8 on XP means that the SSL support will suffer, since IE8 will use XP's SSL support, which doesn't have the new ECDSA. (Not totally sure about SNI, though.)
So what does Firefox and Chrome use? They use their own library called NSS, which is their own SSL stack that supports EVERYTHING - so as long as you're running a pretty recent version of Firefox/Chrome, you're fine! Safari/Opera support is still unknown though. Supposedly, Opera should be using NSS since they've moved to Chrome's core, but not too sure...
In Plain English
If you're on Windows XP and you use IE: regardless of version, you will NOT be able to access a Cloudflare SSL secured site.
If you're on Windows XP and you use the latest Firefox/Chrome: you WILL be able to access a Cloudflare SSL secured site.
If you're on Windows Vista and you use the latest browser: you WILL be able to access a Cloudflare SSL secured site.
If you're on Linux and you use the latest browser (with a recent OpenSSL): you WILL be able to access a Cloudflare SSL secured site.
If you're on Android and you use Android ICS 4.0 or later: you WILL be able to access a Cloudflare SSL secured site.
If you're on iOS/Mac OS X and/or using Safari/Opera: UNKNOWN. See the next section for more details.
Finding out if you have ECDSA/SNI:
A lot of websites run with Cloudflare (including Omnimaga) - however, many will probably wait to see whether SSL support is available yet for a good amount of platforms.
That said, if you're unsure (or wanna help us out), take our survey:
https://docs.google.com/forms/d/1tXP6uoqoZUQmvPV5tclc16Nlwuza2U60_xRCAJ4BL9g/viewform
In the survey, there is a website that will tell you everything - including whether you have ECDSA and SNI or not!
withgusto...
We're not too sure whether we want to adopt this yet or not - we'll probably make a decision once the migration is complete.
-
Still waiting on proper propagation for Omnimaga to make use of this.
-
Sounds fun! I'd probably turn it on for my website, but make it optional (because they don't really need HTTPS).
-
So basically this lets Omnimaga use the https that many people requested in the past without having to purchase an expensive certificate? Also, for unsupported browsers, would the site just error completely or just warns you that you have to accept the certificate? On TVA Nouvelles, for example, I get asked to accept some certificate thing when I browse the website via Android 2.2.2 browser or Opera 12.17 but not from any other browser.
-
https == http via an ssl connection.
To answer other questions about cloudflare these are good articles to read:
- https://blog.cloudflare.com/introducing-universal-ssl/
- https://blog.cloudflare.com/origin-server-connection-security-with-universal-ssl/
- https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/
I'm not entirely sure if it will ask you to accept the cert or just error. I'd have to test since the articles don't really talk about that.
According to my testing you will just be prompted to accept the certificate.
-
Ok thanks for the info. And I assume when you say it will just prompt you to accept the certificate that it will only do so when using an invalid browser? Otherwise that might get annoying >.< (unless it only happens once for everyone)
-
Ok thanks for the info. And I assume when you say it will just prompt you to accept the certificate that it will only do so when using an invalid browser? Otherwise that might get annoying >.< (unless it only happens once for everyone)
https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/#errorsyoumaysee
All browsers will show the error until they finish provisioning SLL certificates. After that only older browsers will show an error, on which you can just tell it to ignore that error forever. Not all browsers let you remember that choice though.
-
Ok good. I was a bit worried lol :P
On TVA Nouvelles in Opera 12.17 it only shows the warning about every 4 page load (I think it might be due to some of the ads but I could be wrong) and on the Android 2.2.2 stock browser it happens around 80% of the time. Neither the browsers remember the choice.
-
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.
-
Well yeah, I guess it's just there so HTTPS works if it's not critical to your website to have it. If you really want full HTTPS you have to opt for a paid plan.
-
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.
For just the unencrypted part, yeah. But that's just bad security in general, and I highly doubt that you can get PCI compliance with that kind of setup. (If you can, then we're going to see some interesting things soon...)
I'm not sure about the situation for HTTPS native, but I imagine using "Full SSL (Strict)" will make it so that you server will only be the one that can decrypt. (Possibly "Full SSL" as well, assuming your SSL certificate is secure.)
-
So Cloudflare effectively uses a man-in-the-middle attack to dip into the connection between client and target server, and only encrypts the first part of the route, but to the browser it will look like a valid SSL connection thanks to SNI. In reality, there is no end-to-end encryption whatsoever. It's just a smoke screen, really.
For a site that did not have SSL before, we will default to our Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not. We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin. Later today we'll be publishing a blog with instructions on how to do that at no cost. Once you've installed a certificate on your web server, you can enable the Full or Strict SSL modes which encrypt origin traffic and provide a higher level of security.
If you want to leave it as only partially secured then you can, but you can secure the whole trip, and half of the trip being secure is better then none of it.
-
... but you can secure the whole trip ...
CloudFlare is still MITMing the connection and since they are based in the USA, several three letter agencies will probably have access to the traffic.
Of course a bit encryption is better than no encryption, I just hope that nobody seriously thinks this is secure.
-
... but you can secure the whole trip ...
CloudFlare is still MITMing the connection and since they are based in the USA, several three letter agencies will probably have access to the traffic.
Of course a bit encryption is better than no encryption, I just hope that nobody seriously thinks this is secure.
You should probably do some reading before you make accusations like that. Also, the concern with SSL encryption is keeping your personal information (like bank accounts, credit cards etc) out of the hands of thieves. It is not to keep it out of the hands of the law enforcement. If you are trying to do that, well
- Why don't you want the law enforcement to know about what you are doing?
- The internet is totally the wrong media for that. There are too many ways to trace information over the internet for that to be truly viable.
- Law enforcement could easily just go to the site you are visiting and request information, that or the hosting provider for the site.
https://www.cloudflare.com/security-policy (https://www.cloudflare.com/security-policy)
https://www.cloudflare.com/transparency (https://www.cloudflare.com/transparency)
I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
-
They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.
-
You should probably do some reading before you make accusations like that.
Here, so you can do some reading before accusing me of false accusations: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-mean-
Cloudflare decrypts the traffic and acts as a man in the middle. So this is not end-to-end encryption and therefore NOT secure.
Also, the concern with SSL encryption is keeping your personal information (like bank accounts, credit cards etc) out of the hands of thieves. It is not to keep it out of the hands of the law enforcement.
No, I want to keep my data out of the hands of anyone who is not the intended receiver. The government is certainly not an intended receiver.
Why don't you want the law enforcement to know about what you are doing?
Because it's none of their business.
https://www.cloudflare.com/security-policy (https://www.cloudflare.com/security-policy)
https://www.cloudflare.com/transparency (https://www.cloudflare.com/transparency)
I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.
-
But is it 100% guaranteed that all countries in the world will not try to force their way in to get the info without CloudFlare's permission? I know that CloudFlare will be transparent about it but the possibility that a government agency goes that far (eg China or North Korea, for example) is probably what compu is concerned about. Not that I have anything to hide, personally, although I am not too comfortable about the idea of my Paypal login/password falling into the hands of random strangers since we never know what people might be up to.
Most of the time, you'll survive as long as you don't accept invalid certificates! However, if an agency were to be able to request a falsified certificate, then it's game over... but that applies for every secured website out there.
I quite like cloudflare's policies. They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.
So.... I read up a few more things and have a better grasp of the situation now.
Let's start off by stating a few facts:
- Cloudflare is using a MITM (a "trusted" one) to secure websites. That means they do encrypt and decrypt using their certificate, and then send the traffic over to origin server by re-encrypting it with origin server's keys.
- Cloudflare does it interestingly by using one node and signing their own certificates for all domains that use that node. So they sign for cloudflare.com, *.cloudflare.com, and then client domains, like bla1.com, coolwebsite.com, etc.
That said, let's clarify...
They will only release information if required by law, and even then they will only release the limited scope of the information without any of the keys that would make all of it accessible. They will also release transparency reports about requests by government agencies and if possible inform users on what of their information was requested by government agencies.
Yes... if this was a regular warrant search. If this was NSL'd, then this would not be the case.
However - they are being slightly transparent by using something called a warrant canary (http://en.wikipedia.org/wiki/Warrant_canary), in which they discreetly notify everyone that they have been NSL'd by removing a certain phrase. But don't interpret this as something that is 100% transparent - if your node got NSL'd on Cloudflare, they won't (and can't) tell you.
If you followed the news over the last year, you would know that these policies are worth nothing if the US government can just send them a National Security Letter or force their way in.
Yes, but this applies to plenty of things:
- Your web service provider can be NSL'd to monitor traffic;
- Your server hosting provider can be NSL'd to install a backdoor on your server;
- Your SSL provider can be NSL'd to give up your private key;
- An American SSL provider can be NSL'd to forge a certificate for your website, and MITM it.
I should note that while the first three are probably nothing to worry about for those in other countries, the last one is very real, and can have global impact for those trying to visit your website.
That said, should I, a server admin, go crazy over all of this? Nope, and here's why:
- Encryption and protection on a server you don't physically control is not going to help. In fact, virtualized instances are not secure at all. The only secure server is a dedicated hardware node that you physically have in your house. And even that isn't necessarily secure!
- Security many websites at once isn't too bad of an idea. This is really big because if suddenly, if millions of websites start being HTTPS, it's harder for the agencies to determine who's who. (In the past, with fewer SSL sites, it's easier to say, "Oh this guy is using SSL, he must be hiding something".)
- Cost vs. benefit. This is probably the biggest reason. If this service provides more security to those who wish to protect sensitive information (or just prevent easy snooping), AND provides DDoS mitigation, AND provides caching, etc. etc., I think the benefits outweigh the costs. Yes, it's true that some agencies see this as a good chance to hop on in and intercept, but there are plenty of other ways for them to do that, and plenty of other opportunities to secure your data with my own efforts.
Nevertheless, I agree that privacy is a major concern that has been overlooked by lawmakers and the like. "Why don't you want the law enforcement to know about what you are doing?" is a strange question to ask - sure, I don't mind (I'm not doing anything illegal), but you're just asking to get mauled.
"They can do X now, so what?" is a question that many people ask. Then said agencies that "do X" will do even more, like Y and Z, which people will really not like! (What if Z was installing a camera in the bathroom and monitoring your "activities" there? Surely you won't mind then? ;D )
That aside - in terms of overall security, going with Cloudflare still seems like the best choice. My only reason for not setting this up yet is due to compatibility concerns, and that Cloudflare shares the same certificate with other domains, which may or may not become an issue - still researching. Of course, for those who are really concerned, I'd be happy to provide a secret, alternate route to access my server without going through Cloudflare.
tl;dr Cloudflare is not immune to NSLs, but they provide more benefit vs. cost; alt methods are available for securing server; despite all of this your privacy is still something you should value!
-
Sure, you're right, there is no 100% security.
Like I said in my first post, this is not necessarily a bad thing - the more SSL used on the internet, the better. It's a security tradeoff I personally would not want to make.
Let's just not forget that StartSSL (https://www.startssl.com/) gives out free SSL certs for everyone ;)
-
Let's just not forget that StartSSL (https://www.startssl.com/) gives out free SSL certs for everyone ;)
Yep, and cheap (US$ 60 for 2 years) Class II ones (https://www.startssl.com/?app=40) :D
(at TI-Planet we've upgraded to that (from the free one) partly because of wildcard domains (set up at registration) - it's quite useful, especially with subdomains.)
Edit : btw, HTTPS Everywhere (https://www.eff.org/Https-everywhere) FTW, and for those who didn't know about it :)
-
So does this mean I won't be able to access websites that use the free ssl with my android 2.3 gingerbread phone?
-
So does this mean I won't be able to access websites that use the free ssl with my android 2.3 gingerbread phone?
To answer your question:
https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/#errorsyoumaysee
All browsers will show the error until they finish provisioning SLL certificates. After that only older browsers will show an error, on which you can just tell it to ignore that error forever. Not all browsers let you remember that choice though.