1:10 p.m.
Greetings.
In the past we haven't bothered to make fedoraplanet.org https because
some/many of the blogs that are aggregated there are http. However, now
with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post:
http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
* We get a https cert for fedoraplanet.org and enable it.
(of course right now it will show lots of insecure content which will
be anoying support wise as people ask us about it, but no more so than
'why isn't it https enabled').
* We send out an announcement asking everyone who has a blog aggregated
on fedoraplanet to https enable their blogs.
* We have some deadline (like 6 months? a year? less?) and after that
point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic
on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
kevin
2:52 p.m.
Il 14/feb/2017 08:52 PM, "Kevin Fenzi" <kevin(a)scrye.com> ha scritto:
Greetings.
In the past we haven't bothered to make fedoraplanet.org https because
some/many of the blogs that are aggregated there are http. However, now
with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post:
http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
* We get a https cert for fedoraplanet.org and enable it.
(of course right now it will show lots of insecure content which will
be anoying support wise as people ask us about it, but no more so than
'why isn't it https enabled').
* We send out an announcement asking everyone who has a blog aggregated
on fedoraplanet to https enable their blogs.
* We have some deadline (like 6 months? a year? less?) and after that
point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic
on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
kevin
_______________________________________________
infrastructure mailing list -- infrastructure(a)lists.fedoraproject.org
To unsubscribe send an email to infrastructure-leave(a)lists.fedoraproject.org
I think it is not only doable easily, but also an advantage for the blog
owners we collect on fedoraplanet.
Maybe a deadline is the right way here, probably 6 month is not enough, but
what about the end of the year? This could also be useful to clean up
abandoned blogs from people who are not posting anything anymore.
Just my thoughts on this topic.
Robert
9:32 a.m.
On Tue, Feb 14, 2017 at 09:52:53PM +0100, Robert Mayr wrote:
Il 14/feb/2017 08:52 PM, "Kevin Fenzi"
<kevin(a)scrye.com> ha scritto:
> In the past we haven't bothered to make fedoraplanet.org https because
> some/many of the blogs that are aggregated there are http. However, now
> with the advent of letsencrypt, I wonder if we shouldn't revisit that.
>
> I noticed this again due to a recent gnome planet post:
> http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
>
> Proposal:
>
> * We get a https cert for fedoraplanet.org and enable it.
> (of course right now it will show lots of insecure content which will
> be anoying support wise as people ask us about it, but no more so than
> 'why isn't it https enabled').
>
> * We send out an announcement asking everyone who has a blog aggregated
> on fedoraplanet to https enable their blogs.
>
> * We have some deadline (like 6 months? a year? less?) and after that
> point we drop all the http blogs and only allow https.
>
> There's no real security advantage here, other than making more traffic
> on the net encrypted, which I think is a good goal.
>
> What do folks think? Doable? To harsh? Pointless?
I think it is not only doable easily, but also an advantage for the blog
owners we collect on fedoraplanet.
Maybe a deadline is the right way here, probably 6 month is not enough, but
what about the end of the year? This could also be useful to clean up
abandoned blogs from people who are not posting anything anymore.
Just my thoughts on this topic.
Generally in favor here. However, two things to add:
(1) A year seems reasonable for this. We're not under pressure here,
no need to pass it on to others either.
(2) If this is truly important, infra team should (a) make themselves
available to consult on how to fix, and/or (b) create a couple simple
HOWTOs for the most prevalent self-hosted services.
No need for us to carry large numbers of inactive blogs on the roll,
and this is a good way to find out which are still maintained. At the
same time, we need to balance the ability to give non-technical
community members a voice.
--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
2:55 p.m.
Hi Kevin,
I think this is Doable.
On 02/14/2017 02:10 PM, Kevin Fenzi wrote:
Greetings.
In the past we haven't bothered to make fedoraplanet.org https because
some/many of the blogs that are aggregated there are http. However, now
with the advent of letsencrypt, I wonder if we shouldn't revisit that.
I noticed this again due to a recent gnome planet post:
http://nibblestew.blogspot.com/2017/02/enabling-https-is-easy.html
Proposal:
* We get a https cert for fedoraplanet.org and enable it.
(of course right now it will show lots of insecure content which will
be anoying support wise as people ask us about it, but no more so than
'why isn't it https enabled').
* We send out an announcement asking everyone who has a blog aggregated
on fedoraplanet to https enable their blogs.
* We have some deadline (like 6 months? a year? less?) and after that
point we drop all the http blogs and only allow https.
There's no real security advantage here, other than making more traffic
on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
kevin
_______________________________________________
infrastructure mailing list -- infrastructure(a)lists.fedoraproject.org
To unsubscribe send an email to infrastructure-leave(a)lists.fedoraproject.org
4:32 a.m.
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
There's no real security advantage here, other than making more
traffic
on the net encrypted, which I think is a good goal.
What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate?
Total blog number, total blog with partial https (is it easy to
detect?), total blog with full https.
A few month ago, I read a blog post telling "planet libre" stoped using
https because they had too much warnings and errors to fix because of
expired certificate. I can't find it anymore :( I'll try to find it.
I'm not really confortable with kicking out unactive blogs, as we should
respect past contribution as much as current ones. When I search for
information from the past, old unactive blog post are still interesting,
I assume removing them from planet would make it more difficult to find
(most of them, including my own, have a very low audience).
5:58 a.m.
On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
Le 2017-02-14 20:10, Kevin Fenzi a écrit :
> There's no real security advantage here, other than making more traffic
> on the net encrypted, which I think is a good goal.
>
> What do folks think? Doable? To harsh? Pointless?
Do you have any statistics of the number of blog that should migrate? Total
blog number, total blog with partial https (is it easy to detect?), total
blog with full https.
I've tried to estimated this, using http://fedoraplanet.org/heads.html:
– there are 716 blogs in total
* 284 URLs start with https://
* 432 URLs start with http://
- if I do s/http/https/ and try to access the blogs (of 432 "http://" ones):
- 225 over https returned content with roughly the same size as returned over http
- 209 weren't accessible by https
- 34 weren't accessible by http, either
I did not check if those 225 "forced https" contain any mixed content.
Summary:
- we have 716 blogs on Planet
- we can access (284+225=) 509 of them over https
- by forcing https we would loose ~ 200 blogs
--
Tomasz Torcz There exists no separation between gods and men:
xmpp: zdzichubg(a)chrome.pl one blends softly casual into the other.
6:56 a.m.
Tomasz Torcz:
On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft
wrote:
> Le 2017-02-14 20:10, Kevin Fenzi a écrit :
>> There's no real security advantage here, other than making more traffic
>> on the net encrypted, which I think is a good goal.
>>
>> What do folks think? Doable? To harsh? Pointless?
>
> Do you have any statistics of the number of blog that should migrate? Total
> blog number, total blog with partial https (is it easy to detect?), total
> blog with full https.
I've tried to estimated this, using http://fedoraplanet.org/heads.html:
– there are 716 blogs in total
* 284 URLs start with https://
* 432 URLs start with http://
- if I do s/http/https/ and try to access the blogs (of 432 "http://" ones):
- 225 over https returned content with roughly the same size as returned over http
- 209 weren't accessible by https
- 34 weren't accessible by http, either
I did not check if those 225 "forced https" contain any mixed content.
Summary:
- we have 716 blogs on Planet
- we can access (284+225=) 509 of them over https
- by forcing https we would loose ~ 200 blogs
I'd recommend a hybrid deadline, say 6 months from ?today ?($date)?
blog is less favored if by Jan 1 2018 it's still not https it gets
dropped, this let's people know 1) we are seriously 2) not trying to
kill them with an immediate seemingly arb. deadline.
Corey W Sheldon
M:703.839.6609:|:D:310.909.7672
PGP:|:0x90DD92F222C15DC2:|:0x32C80DA97E25CEFE:|:0x5C9AB5EC2C5CA3DA:|
|:https://keybase.io/linuxmodder:|:https://ameridea.github.io:|
|:http://community.ameridea.net:|:http://www.ameridea.net
A goal is not always meant to be reached, it often serves simply as
something to aim at. --Bruce Lee
Absorb what is useful, discard what is not, add what is uniquely your
own. --Bruce Lee
Any man willing to sacrifice security for convenience, is deserving of
neither. -- Benjamin Franklin
Disclaimer: All correspondence shall be deemed of a sensitive nature,
and not re-distributed without good cause or per-approval.
All Emails shall be GPG signed or carry a attached vcf/asc blob, any
email lacking this shall be treated with healthy skepticism.
11:19 a.m.
On Wed, Feb 15, 2017, at 01:56 PM, Corey W Sheldon wrote:
Tomasz Torcz:
> On Wed, Feb 15, 2017 at 11:32:28AM +0100, Jean-Baptiste Holcroft wrote:
>> Le 2017-02-14 20:10, Kevin Fenzi a écrit :
>>> There's no real security advantage here, other than making more traffic
>>> on the net encrypted, which I think is a good goal.
>>>
>>> What do folks think? Doable? To harsh? Pointless?
>>
>> Do you have any statistics of the number of blog that should migrate? Total
>> blog number, total blog with partial https (is it easy to detect?), total
>> blog with full https.
>
> I've tried to estimated this, using http://fedoraplanet.org/heads.html:
>
> – there are 716 blogs in total
> * 284 URLs start with https://
> * 432 URLs start with http://
>
> - if I do s/http/https/ and try to access the blogs (of 432 "http://"
ones):
> - 225 over https returned content with roughly the same size as returned over
http
> - 209 weren't accessible by https
> - 34 weren't accessible by http, either
>
> I did not check if those 225 "forced https" contain any mixed content.
>
> Summary:
> - we have 716 blogs on Planet
> - we can access (284+225=) 509 of them over https
> - by forcing https we would loose ~ 200 blogs
>
I'd recommend a hybrid deadline, say 6 months from ?today ?($date)?
blog is less favored if by Jan 1 2018 it's still not https it gets
dropped, this let's people know 1) we are seriously 2) not trying to
kill them with an immediate seemingly arb. deadline.
This is a very reasonable proposal, but could represent a problem for
some in an indirect way. My personal blog is currently hosted in a
manner that makes using https not possible.[^0] I don't know if others
are in a similar situation, but it is reasonable to think so. Enabling
https is one thing, but in my case a full migration will be required.
Is there a reason we need to require the blogs that are aggregated to be
https and not just encourage it and move the planet to https?
regards,
bex
^0: I use a free hosting platform that cannot do https for custom
domains. However, everything else, static site generation, git, etc. is
exactly like I like it :)
1:08 p.m.
On Wed, 15 Feb 2017 18:19:00 +0100
Brian Exelbierd <bex(a)pobox.com> wrote:
This is a very reasonable proposal, but could represent a problem
for
some in an indirect way. My personal blog is currently hosted in a
manner that makes using https not possible.[^0] I don't know if
others are in a similar situation, but it is reasonable to think so.
Enabling https is one thing, but in my case a full migration will be
required. Is there a reason we need to require the blogs that are
aggregated to be https and not just encourage it and move the planet
to https?
Well, the main reason is that http blogs and content would cause most
browsers to show a 'partially insecure' type message. Which would cause
people to come to us and ask "why can't you secure your site?" :(
But of course one option would be to just keep allowing http blogs and
educate people.
kevin
8:10 p.m.
On Wed, 2017-02-15 at 18:19 +0100, Brian Exelbierd wrote:
This is a very reasonable proposal, but could represent a problem for
some in an indirect way. My personal blog is currently hosted in a
manner that makes using https not possible.[^0] I don't know if
others are in a similar situation, but it is reasonable to think
so. Enabling https is one thing, but in my case a full migration
will be required. Is there a reason we need to require the blogs
that are aggregated to be https and not just encourage it and move
the planet to https?
Sounds like we may be in the same boat...
I use github pages with a custom domain and it does not appear to
support https at the moment. I am researching to see if that is
accurate and what my other options are.
Perhaps when we announce this it would be good to have a few Fedora
Magazine / CommBlog article on how to enable https:// on popular blog
hosting sites that people may use in addition to some options for
people to migrate too.
Charles
2687
days inactive
2689
days old
infrastructure@lists.fedoraproject.org
9 comments
9 participants
participants (9)
-
Brian Exelbierd -
charles profitt -
Corey W Sheldon -
Harrison Brock -
Jean-Baptiste Holcroft -
Kevin Fenzi -
Paul W. Frields -
Robert Mayr -
Tomasz Torcz