Testing

General discussion about anything related to Transcendence.
Post Reply
george moromisato
Developer
Developer
Posts: 2936
Joined: Thu Jul 24, 2003 9:53 pm
Contact:

Fri Jan 09, 2015 5:42 pm

I'm testing out SSL via CloudFlare (http://cloudflare.com) and I'd like to see how good they are. Could you try this URL and let me know if you get any security warnings or errors?

https://neurohack.com

TECHNICAL DETAILS
SSL provides two benefits:
1. It encrypts traffic between the user and the web site. For example, if you are in a coffee shop (on a public network) other people in the shop will not be able to sniff your traffic as you talk to the Kronosaur servers.

2. It authenticates the web site to the user. This means that you can trust that the web site you've reached really belongs to Kronosaur Productions and not to some other site that highjacked the traffic (e.g., via a rogue access point).

To implement this, we obtain a cryptographic certificate from a reputable certificate authority (e.g., Verisign). We then use it on the server to both sign and encrypt the connection. When a browser connects to the server, it asks to "see" the certificate and validates it against a known list of reputable certificate authorities. As long as Verisign has "signed" the certificate, the browser trusts it.

In contrast, CloudFlare essentially runs proxy servers (technically, a "reverse proxy"). A user's browser will hit the CloudFlare servers asking for neurohack.com. The CloudFlare servers will then connect to neurohack.com and serve up pages.

Since the user is talking to CloudFlare, it gets a chance to both present a certificate (authentication) and to encrypt traffic to the user. [The connection from CloudFlare to neurohack.com may or may not be encrypted, but that matters less since CloudFlare is not sitting in a coffee shop where people can sniff their traffic.]

The advantage, from my perspective, is that we don't have to implement our own SSL and acquire our own certificate (which costs money).

But the disadvantage is that we are using CloudFlare's certificate to authenticate. I believe that in some cases (i.e., some browsers) this won't work properly. All modern browsers should handle it correctly, but there might be problems with down-level browsers.

Hence this test!

User avatar
Xephyr
Militia Captain
Militia Captain
Posts: 828
Joined: Fri Dec 14, 2007 1:52 am
Location: Orion Arm, Milky Way
Contact:

Fri Jan 09, 2015 5:47 pm

Works fine for me.
Project Renegade (Beta) : "The Poor Man's Corporate Command!"
"Cowards die many times before their deaths; The valiant never taste of death but once. " -Julius Caesar as written by William Shakespeare, a notorious permadeath player.

User avatar
Shrike
Fleet Admiral
Fleet Admiral
Posts: 2712
Joined: Mon Aug 17, 2009 4:27 am
Location: Scouting the borders of sanity (there's a lovely view of the abyss).

Fri Jan 09, 2015 8:42 pm

Looking good to me (Running Seamonkey 2.31 on Win8.1). Nice to see a move towards SSL. :)
Mischievous local moderator. Always unusual, occasionally undefinable, sometimes entertaining. She/Her pronouns.

User avatar
Ttech
Fleet Admiral
Fleet Admiral
Posts: 2754
Joined: Tue Nov 06, 2007 12:03 am
Location: Traveling in the TARDIS
Contact:

Fri Jan 09, 2015 9:53 pm

Glad to see we're finally doing SSL!

This can work, but if you are going to set this up, could I make a request? Please use self signed certificates on your servers, this prevents one channel being encrypted and the other channel suffering from pain text transmission. In fact, on the Cloudflares web site, they recommend that sites implement either self signed or fully signed internal sites for the purpose of preventing and providing validation of the systems cloudflare is serving up.
Image
Image

*** AWAY ON SABBATICAL ***
** USE EMAIL TO CONTACT ME **

george moromisato
Developer
Developer
Posts: 2936
Joined: Thu Jul 24, 2003 9:53 pm
Contact:

Fri Jan 09, 2015 10:02 pm

Ttech wrote:Glad to see we're finally doing SSL!

This can work, but if you are going to set this up, could I make a request? Please use self signed certificates on your servers, this prevents one channel being encrypted and the other channel suffering from pain text transmission. In fact, on the Cloudflares web site, they recommend that sites implement either self signed or fully signed internal sites for the purpose of preventing and providing validation of the systems cloudflare is serving up.
Agreed! That's absolutely my plan.

I've made a lot of progress in getting Hexarc (my server code) to handle SSL. I have only a little bit more to go, so it should be done soon.

[In fact, before I found CloudFlare I was planning on buying a certificate--they are not that expensive. But CloudFlare also gives us a bunch of other advantages, like worldwide CDN distribution and resistance to DDoS attacks.]

User avatar
Ttech
Fleet Admiral
Fleet Admiral
Posts: 2754
Joined: Tue Nov 06, 2007 12:03 am
Location: Traveling in the TARDIS
Contact:

Fri Jan 09, 2015 10:08 pm

george moromisato wrote:
Ttech wrote:Glad to see we're finally doing SSL!

This can work, but if you are going to set this up, could I make a request? Please use self signed certificates on your servers, this prevents one channel being encrypted and the other channel suffering from pain text transmission. In fact, on the Cloudflares web site, they recommend that sites implement either self signed or fully signed internal sites for the purpose of preventing and providing validation of the systems cloudflare is serving up.
Agreed! That's absolutely my plan.

I've made a lot of progress in getting Hexarc (my server code) to handle SSL. I have only a little bit more to go, so it should be done soon.

[In fact, before I found CloudFlare I was planning on buying a certificate--they are not that expensive. But CloudFlare also gives us a bunch of other advantages, like worldwide CDN distribution and resistance to DDoS attacks.]
CloudFlare is amazing for what you're doing, especially the entire hexarc infrastructure. And for testing both internal and public facing stuff check out https://www.ssllabs.com/ssltest/ if you haven't seen it before.
I can't wait for the wiki and the forums to be on SSL! :D
Image
Image

*** AWAY ON SABBATICAL ***
** USE EMAIL TO CONTACT ME **

george moromisato
Developer
Developer
Posts: 2936
Joined: Thu Jul 24, 2003 9:53 pm
Contact:

Fri Jan 09, 2015 10:14 pm

Ttech wrote:And for testing both internal and public facing stuff check out https://www.ssllabs.com/ssltest/ if you haven't seen it before.
I can't wait for the wiki and the forums to be on SSL! :D
Thanks for that link! I'll use it to get Hexarc up to compliance.

User avatar
Arkheias
Commonwealth Pilot
Commonwealth Pilot
Posts: 95
Joined: Mon Jun 02, 2014 8:06 pm

Fri Jan 09, 2015 10:43 pm

I saw no problems using chrome browser (v39.0.2171.93) on my phone (android v4.4.2) and firefox (v34.0.5) on my pc (Windows 7).
Cabbage Corp, the only mod with cabbages!

Please feel free to submit bug reports or issues related to the Cabbage Corp mod on the GitHub page, the forum thread, in a private message or even on the Xelerus page. Suggestions are fine too.

User avatar
digdug
Fleet Admiral
Fleet Admiral
Posts: 2612
Joined: Mon Oct 29, 2007 9:23 pm
Location: Decoding hieroglyphics on Tan-Ru-Dorem

Sun Jan 11, 2015 12:42 pm

Works great with the latests Opera Mini and Opera Coast on iOS7.
Same for on my Firefox 34.0.5 and Internet Explorer 11 on Windows 7.

User avatar
pixelfck
Militia Captain
Militia Captain
Posts: 571
Joined: Tue Aug 11, 2009 8:47 pm
Location: Travelling around in Europe

Sun Jan 11, 2015 4:06 pm

If you are not set on using cloudfare, you could take a look at startssl.com. They have a slightly different business model from what is usual in the industry: ssl certificates for single web domains are free. If you want anything beyond that (a wildcard certificate for example) you pay for them to certify that you (the person) are who you say you are (valid for two years, so prices quoted are for two year two). After this step, you can get ssl certificates for sites you own/administer (automated check) without any additional costs.

I've used this certificate authority in the past and I'm quite happy with them.

~Pixelfck
Image
Download the Black Market Expansion from Xelerus.de today!
My other mods at xelerus.de

bzm3r
Militia Lieutenant
Militia Lieutenant
Posts: 100
Joined: Tue Oct 23, 2012 2:38 pm

Mon Jan 12, 2015 2:02 am

Works well for me. Chrome 39.0.2171.95 m (Win 8.1) and Iceweasel 31.3.0 (Debian wheezy, stable).

george moromisato
Developer
Developer
Posts: 2936
Joined: Thu Jul 24, 2003 9:53 pm
Contact:

Mon Jan 12, 2015 6:21 pm

Thanks for everyone's help. I've enabled HTTPS on all our sites. See: http://forums.kronosaur.com/viewtopic.php?f=2&t=6972

I still need implement HTTPS on the connection between CloudFlare and Hexarc, but that should happen in the next few month.

Thanks again, and let me know if you run into any problems.

Post Reply