Testing

[george moromisato]

I'm testing out SSL via CloudFlare (http://cloudflare.com) and I'd like to see how good they are. Could you try this URL and let me know if you get any security warnings or errors?

https://neurohack.com

TECHNICAL DETAILS
SSL provides two benefits:
1. It encrypts traffic between the user and the web site. For example, if you are in a coffee shop (on a public network) other people in the shop will not be able to sniff your traffic as you talk to the Kronosaur servers.

2. It authenticates the web site to the user. This means that you can trust that the web site you've reached really belongs to Kronosaur Productions and not to some other site that highjacked the traffic (e.g., via a rogue access point).

To implement this, we obtain a cryptographic certificate from a reputable certificate authority (e.g., Verisign). We then use it on the server to both sign and encrypt the connection. When a browser connects to the server, it asks to "see" the certificate and validates it against a known list of reputable certificate authorities. As long as Verisign has "signed" the certificate, the browser trusts it.

In contrast, CloudFlare essentially runs proxy servers (technically, a "reverse proxy"). A user's browser will hit the CloudFlare servers asking for neurohack.com. The CloudFlare servers will then connect to neurohack.com and serve up pages.

Since the user is talking to CloudFlare, it gets a chance to both present a certificate (authentication) and to encrypt traffic to the user. [The connection from CloudFlare to neurohack.com may or may not be encrypted, but that matters less since CloudFlare is not sitting in a coffee shop where people can sniff their traffic.]

The advantage, from my perspective, is that we don't have to implement our own SSL and acquire our own certificate (which costs money).

But the disadvantage is that we are using CloudFlare's certificate to authenticate. I believe that in some cases (i.e., some browsers) this won't work properly. All modern browsers should handle it correctly, but there might be problems with down-level browsers.

Hence this test!

[Xephyr]

Works fine for me.

[Song]

Looking good to me (Running Seamonkey 2.31 on Win8.1). Nice to see a move towards SSL.

[Ttech]

Glad to see we're finally doing SSL!

This can work, but if you are going to set this up, could I make a request? Please use self signed certificates on your servers, this prevents one channel being encrypted and the other channel suffering from pain text transmission. In fact, on the Cloudflares web site, they recommend that sites implement either self signed or fully signed internal sites for the purpose of preventing and providing validation of the systems cloudflare is serving up.

[george moromisato]

Glad to see we're finally doing SSL!

This can work, but if you are going to set this up, could I make a request? Please use self signed certificates on your servers, this prevents one channel being encrypted and the other channel suffering from pain text transmission. In fact, on the Cloudflares web site, they recommend that sites implement either self signed or fully signed internal sites for the purpose of preventing and providing validation of the systems cloudflare is serving up.

Agreed! That's absolutely my plan.

I've made a lot of progress in getting Hexarc (my server code) to handle SSL. I have only a little bit more to go, so it should be done soon.

[In fact, before I found CloudFlare I was planning on buying a certificate--they are not that expensive. But CloudFlare also gives us a bunch of other advantages, like worldwide CDN distribution and resistance to DDoS attacks.]

[Ttech]

Glad to see we're finally doing SSL!

This can work, but if you are going to set this up, could I make a request? Please use self signed certificates on your servers, this prevents one channel being encrypted and the other channel suffering from pain text transmission. In fact, on the Cloudflares web site, they recommend that sites implement either self signed or fully signed internal sites for the purpose of preventing and providing validation of the systems cloudflare is serving up.

Agreed! That's absolutely my plan.

I've made a lot of progress in getting Hexarc (my server code) to handle SSL. I have only a little bit more to go, so it should be done soon.

[In fact, before I found CloudFlare I was planning on buying a certificate--they are not that expensive. But CloudFlare also gives us a bunch of other advantages, like worldwide CDN distribution and resistance to DDoS attacks.]

CloudFlare is amazing for what you're doing, especially the entire hexarc infrastructure. And for testing both internal and public facing stuff check out https://www.ssllabs.com/ssltest/ if you haven't seen it before.
I can't wait for the wiki and the forums to be on SSL!

[george moromisato]

And for testing both internal and public facing stuff check out https://www.ssllabs.com/ssltest/ if you haven't seen it before.
I can't wait for the wiki and the forums to be on SSL!

Thanks for that link! I'll use it to get Hexarc up to compliance.

[Arkheias]

I saw no problems using chrome browser (v39.0.2171.93) on my phone (android v4.4.2) and firefox (v34.0.5) on my pc (Windows 7).

[digdug]

Works great with the latests Opera Mini and Opera Coast on iOS7.
Same for on my Firefox 34.0.5 and Internet Explorer 11 on Windows 7.

[pixelfck]

If you are not set on using cloudfare, you could take a look at startssl.com. They have a slightly different business model from what is usual in the industry: ssl certificates for single web domains are free. If you want anything beyond that (a wildcard certificate for example) you pay for them to certify that you (the person) are who you say you are (valid for two years, so prices quoted are for two year two). After this step, you can get ssl certificates for sites you own/administer (automated check) without any additional costs.

I've used this certificate authority in the past and I'm quite happy with them.

~Pixelfck

[bzm3r]

Works well for me. Chrome 39.0.2171.95 m (Win 8.1) and Iceweasel 31.3.0 (Debian wheezy, stable).

[george moromisato]

Thanks for everyone's help. I've enabled HTTPS on all our sites. See: http://forums.kronosaur.com/viewtopic.php?f=2&t=6972

I still need implement HTTPS on the connection between CloudFlare and Hexarc, but that should happen in the next few month.

Thanks again, and let me know if you run into any problems.