Greetings.
In the past we haven't bothered to make fedoraplanet.org https because some/many of the blogs that are aggregated there are http. However, now with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post: http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
* We get a https cert for fedoraplanet.org and enable it. (of course right now it will show lots of insecure content which will be anoying support wise as people ask us about it, but no more so than 'why isn't it https enabled').
* We send out an announcement asking everyone who has a blog aggregated on fedoraplanet to https enable their blogs.
* We have some deadline (like 6 months? a year? less?) and after that point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
kevin
Il 14/feb/2017 08:52 PM, "Kevin Fenzi" kevin@scrye.com ha scritto:
Greetings.
In the past we haven't bothered to make fedoraplanet.org https because some/many of the blogs that are aggregated there are http. However, now with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post: http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
* We get a https cert for fedoraplanet.org and enable it. (of course right now it will show lots of insecure content which will be anoying support wise as people ask us about it, but no more so than 'why isn't it https enabled').
* We send out an announcement asking everyone who has a blog aggregated on fedoraplanet to https enable their blogs.
* We have some deadline (like 6 months? a year? less?) and after that point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
kevin
_______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
I think it is not only doable easily, but also an advantage for the blog owners we collect on fedoraplanet. Maybe a deadline is the right way here, probably 6 month is not enough, but what about the end of the year? This could also be useful to clean up abandoned blogs from people who are not posting anything anymore. Just my thoughts on this topic. Robert
On Tue, Feb 14, 2017 at 09:52:53PM +0100, Robert Mayr wrote:
Il 14/feb/2017 08:52 PM, "Kevin Fenzi" kevin@scrye.com ha scritto:
In the past we haven't bothered to make fedoraplanet.org https because some/many of the blogs that are aggregated there are http. However, now with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post: http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
- We get a https cert for fedoraplanet.org and enable it.
(of course right now it will show lots of insecure content which will be anoying support wise as people ask us about it, but no more so than 'why isn't it https enabled').
We send out an announcement asking everyone who has a blog aggregated on fedoraplanet to https enable their blogs.
We have some deadline (like 6 months? a year? less?) and after that point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
I think it is not only doable easily, but also an advantage for the blog owners we collect on fedoraplanet. Maybe a deadline is the right way here, probably 6 month is not enough, but what about the end of the year? This could also be useful to clean up abandoned blogs from people who are not posting anything anymore. Just my thoughts on this topic.
Generally in favor here. However, two things to add:
(1) A year seems reasonable for this. We're not under pressure here, no need to pass it on to others either.
(2) If this is truly important, infra team should (a) make themselves available to consult on how to fix, and/or (b) create a couple simple HOWTOs for the most prevalent self-hosted services.
No need for us to carry large numbers of inactive blogs on the roll, and this is a good way to find out which are still maintained. At the same time, we need to balance the ability to give non-technical community members a voice.
Hi Kevin,
I think this is Doable.
On 02/14/2017 02:10 PM, Kevin Fenzi wrote:
Greetings.
In the past we haven't bothered to make fedoraplanet.org https because some/many of the blogs that are aggregated there are http. However, now with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post: http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
- We get a https cert for fedoraplanet.org and enable it.
(of course right now it will show lots of insecure content which will be anoying support wise as people ask us about it, but no more so than 'why isn't it https enabled').
We send out an announcement asking everyone who has a blog aggregated on fedoraplanet to https enable their blogs.
We have some deadline (like 6 months? a year? less?) and after that point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate? Total blog number, total blog with partial https (is it easy to detect?), total blog with full https.
A few month ago, I read a blog post telling "planet libre" stoped using https because they had too much warnings and errors to fix because of expired certificate. I can't find it anymore :( I'll try to find it.
I'm not really confortable with kicking out unactive blogs, as we should respect past contribution as much as current ones. When I search for information from the past, old unactive blog post are still interesting, I assume removing them from planet would make it more difficult to find (most of them, including my own, have a very low audience).
On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate? Total blog number, total blog with partial https (is it easy to detect?), total blog with full https.
I've tried to estimated this, using http://fedoraplanet.org/heads.html:
– there are 716 blogs in total * 284 URLs start with https:// * 432 URLs start with http://
- if I do s/http/https/ and try to access the blogs (of 432 "http://" ones): - 225 over https returned content with roughly the same size as returned over http - 209 weren't accessible by https - 34 weren't accessible by http, either
I did not check if those 225 "forced https" contain any mixed content.
Summary: - we have 716 blogs on Planet - we can access (284+225=) 509 of them over https - by forcing https we would loose ~ 200 blogs
Tomasz Torcz:
On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate? Total blog number, total blog with partial https (is it easy to detect?), total blog with full https.
I've tried to estimated this, using http://fedoraplanet.org/heads.html:
– there are 716 blogs in total * 284 URLs start with https:// * 432 URLs start with http://
- if I do s/http/https/ and try to access the blogs (of 432 "http://" ones):
- 225 over https returned content with roughly the same size as returned over http
- 209 weren't accessible by https
- 34 weren't accessible by http, either
I did not check if those 225 "forced https" contain any mixed content.
Summary:
- we have 716 blogs on Planet
- we can access (284+225=) 509 of them over https
- by forcing https we would loose ~ 200 blogs
I'd recommend a hybrid deadline, say 6 months from ?today ?($date)? blog is less favored if by Jan 1 2018 it's still not https it gets dropped, this let's people know 1) we are seriously 2) not trying to kill them with an immediate seemingly arb. deadline.
Corey W Sheldon M:703.839.6609:|:D:310.909.7672 PGP:|:0x90DD92F222C15DC2:|:0x32C80DA97E25CEFE:|:0x5C9AB5EC2C5CA3DA:| |:https://keybase.io/linuxmodder:%7C:https://ameridea.github.io:%7C |:http://community.ameridea.net:%7C:http://www.ameridea.net
A goal is not always meant to be reached, it often serves simply as something to aim at. --Bruce Lee Absorb what is useful, discard what is not, add what is uniquely your own. --Bruce Lee Any man willing to sacrifice security for convenience, is deserving of neither. -- Benjamin Franklin
Disclaimer: All correspondence shall be deemed of a sensitive nature, and not re-distributed without good cause or per-approval. All Emails shall be GPG signed or carry a attached vcf/asc blob, any email lacking this shall be treated with healthy skepticism.
On Wed, Feb 15, 2017, at 01:56 PM, Corey W Sheldon wrote:
Tomasz Torcz:
On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
There's no real security advantage here, other than making more traffic on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate? Total blog number, total blog with partial https (is it easy to detect?), total blog with full https.
I've tried to estimated this, using http://fedoraplanet.org/heads.html:
– there are 716 blogs in total * 284 URLs start with https:// * 432 URLs start with http://
- if I do s/http/https/ and try to access the blogs (of 432 "http://" ones):
- 225 over https returned content with roughly the same size as returned over http
- 209 weren't accessible by https
- 34 weren't accessible by http, either
I did not check if those 225 "forced https" contain any mixed content.
Summary:
- we have 716 blogs on Planet
- we can access (284+225=) 509 of them over https
- by forcing https we would loose ~ 200 blogs
I'd recommend a hybrid deadline, say 6 months from ?today ?($date)? blog is less favored if by Jan 1 2018 it's still not https it gets dropped, this let's people know 1) we are seriously 2) not trying to kill them with an immediate seemingly arb. deadline.
This is a very reasonable proposal, but could represent a problem for some in an indirect way. My personal blog is currently hosted in a manner that makes using https not possible.[^0] I don't know if others are in a similar situation, but it is reasonable to think so. Enabling https is one thing, but in my case a full migration will be required. Is there a reason we need to require the blogs that are aggregated to be https and not just encourage it and move the planet to https?
regards,
bex
^0: I use a free hosting platform that cannot do https for custom domains. However, everything else, static site generation, git, etc. is exactly like I like it :)
On Wed, 15 Feb 2017 18:19:00 +0100 Brian Exelbierd bex@pobox.com wrote:
This is a very reasonable proposal, but could represent a problem for some in an indirect way. My personal blog is currently hosted in a manner that makes using https not possible.[^0] I don't know if others are in a similar situation, but it is reasonable to think so. Enabling https is one thing, but in my case a full migration will be required. Is there a reason we need to require the blogs that are aggregated to be https and not just encourage it and move the planet to https?
Well, the main reason is that http blogs and content would cause most browsers to show a 'partially insecure' type message. Which would cause people to come to us and ask "why can't you secure your site?" :(
But of course one option would be to just keep allowing http blogs and educate people.
kevin
On Wed, 2017-02-15 at 18:19 +0100, Brian Exelbierd wrote:
This is a very reasonable proposal, but could represent a problem for some in an indirect way. My personal blog is currently hosted in a manner that makes using https not possible.[^0] I don't know if others are in a similar situation, but it is reasonable to think so. Enabling https is one thing, but in my case a full migration will be required. Is there a reason we need to require the blogs that are aggregated to be https and not just encourage it and move the planet to https?
Sounds like we may be in the same boat...
I use github pages with a custom domain and it does not appear to support https at the moment. I am researching to see if that is accurate and what my other options are.
Perhaps when we announce this it would be good to have a few Fedora Magazine / CommBlog article on how to enable https:// on popular blog hosting sites that people may use in addition to some options for people to migrate too.
Charles
infrastructure@lists.fedoraproject.org
-
Brian Exelbierd -
charles profitt -
Corey W Sheldon -
Harrison Brock -
Jean-Baptiste Holcroft -
Kevin Fenzi -
Paul W. Frields -
Robert Mayr -
Tomasz Torcz