You are not logged in.

#1 2014-09-24 23:29:31

iMic
Administrator
From: Adelaide, Australia
Registered: 2014-05-12
Posts: 877
Website

Secure Sockets Layer (SSL/TLS)

Hi Everyone,

We're currently in the process of testing SSL encryption on ThinkClassic. We're aiming for an implementation that performs encryption for any portion of the site that requires sending sensitive data to the server, such as email address submission during registration or password submission during login or profile updates.

You may experience some issues with the site while we continue our testing, but it should still be usable. If anyone experiences any major issues with the site that prevent them from posting, please send me an email at admin@thinkclassic.org and we'll attempt to resolve the issue as soon as possible.



Update (October 6th, 2014)

We've finalised our SSL solution for ThinkClassic and have now enabled encryption on all supported systems and browsers. We're also continuing to support older machines using standard unencrypted connections. Refer to this post for more information.


Update (July 4th, 2015)

We have made some fixes and improvements to our SSL/TLS solution and the methods that our members use to access it. Refer to this post for more information.



Cheers,

iMic.

Last edited by iMic (2015-07-04 14:24:47)


Resident Professor of Alternative Methodology
Faculty of Macintosh Restorations & Modifications - "It works, let's fix it!"

Offline

#2 2014-09-25 00:45:59

bbraun
Member
Registered: 2014-05-29
Posts: 1,064
Website

Re: Secure Sockets Layer (SSL/TLS)

Aw man, you're breakin' my macos client!  tongue

Offline

#3 2014-09-25 01:27:24

techknight
Member
Registered: 2014-05-22
Posts: 449

Re: Secure Sockets Layer (SSL/TLS)

SSL breaks alot of things. thats why I hated when 68kmla did it.

Offline

#4 2014-09-25 01:46:33

antony701
Member
From: Sydney Australia
Registered: 2014-05-21
Posts: 13
Website

Re: Secure Sockets Layer (SSL/TLS)

I personally do not see the need for SSL for just forums. The information (just an email address and choose a password) provide to most forums aren't that sensitive in my opinion.

Offline

#5 2014-09-25 02:37:17

LCGuy
Administrator
From: Sydney, Australia
Registered: 2014-05-13
Posts: 807

Re: Secure Sockets Layer (SSL/TLS)

The problem is that a lot of people who post on forums often re-use the same password for other things, such as other forums, their email, in some cases even their online banking.

Offline

#6 2014-09-25 03:28:05

iMic
Administrator
From: Adelaide, Australia
Registered: 2014-05-12
Posts: 877
Website

Re: Secure Sockets Layer (SSL/TLS)

antony701 wrote:

I personally do not see the need for SSL for just forums. The information (just an email address and choose a password) provide to most forums aren't that sensitive in my opinion.

Initially, I didn't see the need for it on here either.

What leaves us in an interesting and difficult position is that we've received this feature request from several users on here.

However we're also aware that we have a lot of users that love the fact that this site works on just about everything - including browsers and software that would otherwise be held up when trying to communicate with an SSL-enabled server.

We're experimenting with solutions at the moment to find some kind of reasonable middle-ground. At the moment this is a case study to determine how viable it is.


techknight wrote:

SSL breaks alot of things. thats why I hated when 68kmla did it.

That's something we're also concerned about, but we're considering all of our options to minimise the impact. We won't retain it if it proves detrimental to the use of the site, but we're hopeful that we can find a viable solution that suits our needs and the needs of our users without causing them too many issues.


bbraun wrote:

Aw man, you're breakin' my macos client!  tongue

I completely forgot about the Mac OS client... eek. I'll keep it in mind.


Resident Professor of Alternative Methodology
Faculty of Macintosh Restorations & Modifications - "It works, let's fix it!"

Offline

#7 2014-09-25 14:55:30

ClassicHasClass
Member
From: Electron Alley
Registered: 2014-05-26
Posts: 1,083
Website

Re: Secure Sockets Layer (SSL/TLS)

Is there a way to make it opt-in at login, perhaps?

Offline

#8 2014-09-25 16:01:14

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

That's something I was thinking about this morning. But it would be a code change on iMic's end as opposed to a config change on mine.

The other option would be totally user-driven. We just leave SSL available to use on any page but we don't force it. The user would need to manually request https:// in the URL address bar.


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#9 2014-09-25 21:00:55

ClassicHasClass
Member
From: Electron Alley
Registered: 2014-05-26
Posts: 1,083
Website

Re: Secure Sockets Layer (SSL/TLS)

The easy way: have two login buttons, one for SSL, one for nekkid. One is HTTPS, the other is HTTP.

Last edited by ClassicHasClass (2014-09-25 21:01:15)

Offline

#10 2014-09-25 23:48:49

iMic
Administrator
From: Adelaide, Australia
Registered: 2014-05-12
Posts: 877
Website

Re: Secure Sockets Layer (SSL/TLS)

The only issue is that the forum software uses a pre-configured base URL. So, for example, page redirects after making new posts look to the base URL (which is http://www.thinkclassic.org) to know where to send a user after redirecting. Even if you started out using HTTPS, the forum software would eventually throw you back to the HTTP version of the site.

If I could tell it to look simply to "thinkclassic.org" instead, using whatever protocol the browser is already using, then this may resolve that issue.

However, external links from sites like Google would still throw a user back to the HTTP version of the site.


To address this issue, I would ideally be able to add some code in that determines whether a user has "SSL enabled" in their user control panel and automatically rewrites or redirects the URL to the SSL version of the site. Likewise, if it's disabled, then it would always force the standard site.

Doing that however would require modifications to our profile control panel (for the option checkbox itself), our theme files (where custom code is loaded) and most critical of all - our MySQL database. We'd need to attach an SSL field to each user's database row to store their on/off preferences for this setting.

I could possibly look into it over the weekend, but I can't guarantee it since making these modifications could cause issues down the track, particularly when it comes time to update the forum software or install security fixes.


Resident Professor of Alternative Methodology
Faculty of Macintosh Restorations & Modifications - "It works, let's fix it!"

Offline

#11 2014-09-26 00:10:08

techknight
Member
Registered: 2014-05-22
Posts: 449

Re: Secure Sockets Layer (SSL/TLS)

I have solution:

grab the User-Agent. Anyone with a machine new enough/browser, auto-switch to SSL.

Otherwise load unsecure.

Offline

#12 2014-09-26 01:12:45

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

That could work. I can put a rewrite condition on the https rewrite rule to be sure the user agent does not match old browser versions. I'll play with it after the kids go to bed.


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#13 2014-09-26 02:26:56

iMic
Administrator
From: Adelaide, Australia
Registered: 2014-05-12
Posts: 877
Website

Re: Secure Sockets Layer (SSL/TLS)

techknight wrote:

I have solution:

grab the User-Agent. Anyone with a machine new enough/browser, auto-switch to SSL.

Otherwise load unsecure.


This seems like a really nice solution. Supported browsers give their users peace of mind knowing that their data is encrypted. Older browsers can connect to and access the site without issue, but won't have the benefits of encrypted data transfers. As long as users are made aware of any risks, we're more than willing to let them access the site however they wish.

Since sessions aren't retained between browsers anyway, it would overcome some of the anomalies we've experienced with switching back and forth between http and https as well.

Some alterations to the forum software's base URL may be required to run it on both the http and https domains, but I can look into that.


Resident Professor of Alternative Methodology
Faculty of Macintosh Restorations & Modifications - "It works, let's fix it!"

Offline

#14 2014-09-26 02:48:00

techknight
Member
Registered: 2014-05-22
Posts: 449

Re: Secure Sockets Layer (SSL/TLS)

thats why unencrypted sessions should prompt a page giving you a disclaimer, and a "proceed anyway" button.

Which drops a cookie thats checked and never asks you again. ;-)

Also, I dont know how far back user agents go, and which browsers first introduced them.

But its safe to say any browser that doesnt support user agents, will likely not support SSL.

Last edited by techknight (2014-09-26 02:56:20)

Offline

#15 2014-09-26 03:07:24

ClassicHasClass
Member
From: Electron Alley
Registered: 2014-05-26
Posts: 1,083
Website

Re: Secure Sockets Layer (SSL/TLS)

Classilla does work with the SSL version. The problem on The Site I Dare Not Mention is it's a SHA-256 signed certificate. This is SHA-1, which is supported.

Offline

#16 2014-09-26 03:25:59

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

Unfortunately, Google announced that they will start throwing browser warnings in Chrome if visiting SHA-1 sites. I got notice yesterday.When I requested the cert for thinkclassic, I chose SHA-1 to be more compatible with older browsers. It may have to change to SHA-2 next year, though.


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#17 2014-09-26 03:30:10

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

bbraun wrote:

Aw man, you're breakin' my macos client!  tongue

Do you know what user agent your app IDs itself as? Let me know and I'll make some conditions around it


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#18 2014-09-26 03:41:12

bbraun
Member
Registered: 2014-05-29
Posts: 1,064
Website

Re: Secure Sockets Layer (SSL/TLS)

I don't think I send a user-agent header.  I can though.  How about something like "ThinkClassicApp/1.0 (MacOS)"?  Match on ThinkClassicApp*?

Offline

#19 2014-09-26 04:16:38

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

I've added a RewriteCond for it.


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#20 2014-09-26 06:05:41

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

The issue we have with Classilla is that it doesn't appear to support SNI so it will not find the proper certificate unless I assign thinkclassic.org it's own dedicated IP address.

I've included it in the browsers not to apply the https rewrite to. If something changes or Cameron needs more info let me know.


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#21 2014-09-26 14:32:48

ClassicHasClass
Member
From: Electron Alley
Registered: 2014-05-26
Posts: 1,083
Website

Re: Secure Sockets Layer (SSL/TLS)

I got Classilla building again last night (had to undo my changes on caps, which I was trying to finish and never did).

I put a shim in overnight where an unrecognized hash algorithm can be overridden (it treats them as an untrusted certificate rather than simply an unconditional error). However, it looks like the FreeBL in Classilla does understand all the SHA-2 variants; it just wasn't ever hooked up to anything. Classilla does parse a SHA-2 certificate and correctly flags it with an unknown OID, but everything else comes through. Similarly, SNI is a relatively simple extension. I'm going to see if I can get 9.3.3 to do both, and leave in the last resort for unrecognized hash algorithms in as a futureproofing measure.

Offline

#22 2014-09-26 15:24:52

mcdermd
Member
From: Corvallis, OR
Registered: 2014-05-12
Posts: 946
Website

Re: Secure Sockets Layer (SSL/TLS)

Great! I'll remove the rewritecond when it is updated.


Daily Drivers: 27" iMac 2.8 GHz Quad-Core i7 (Late 2009), 21.5" iMac 2.7GHz Quad-Core i5 (Late 2013), 11" Macbook Air 1.6 GHz i5 (Mid-2011)
See the restored heroes here.

Offline

#23 2014-09-27 19:54:46

iMic
Administrator
From: Adelaide, Australia
Registered: 2014-05-12
Posts: 877
Website

Re: Secure Sockets Layer (SSL/TLS)

With this implementation of SSL, I think we're onto a winner.

I'll look into having some HTTP/HTTPS specific code in our PHP forum extensions as well, for warning notifications and the like.


Resident Professor of Alternative Methodology
Faculty of Macintosh Restorations & Modifications - "It works, let's fix it!"

Offline

#24 2014-09-27 20:04:16

ClassicHasClass
Member
From: Electron Alley
Registered: 2014-05-26
Posts: 1,083
Website

Re: Secure Sockets Layer (SSL/TLS)

mcdermd wrote:

Great! I'll remove the rewritecond when it is updated.

Not going to be super-soon, in case you needed to forecast; TenFourFox still gets priority and I'm getting bogged down in the Fx34 merge. I'm hoping within 3-4 months (I might do an interim release with the shim only between now and then).

Offline

#25 2014-09-27 21:35:29

iMic
Administrator
From: Adelaide, Australia
Registered: 2014-05-12
Posts: 877
Website

Re: Secure Sockets Layer (SSL/TLS)

The forum software now displays a warning message on Login, Profile and Registration pages when SSL isn't supported by the browser. However, users can still access the forums as per normal from unsupported systems - the data being sent just won't be encrypted.


Screen_Shot_2014_09_28_at_6_58_06_am.png


As a matter of fact, to demonstrate the forums are still accessible... I'm using Classilla to write and submit this post. Not bad, right?


Screen_Shot_2014_09_28_at_7_04_38_am.png


I also discovered an inefficiency while making these additions in the compression algorithm for a couple of our images, namely the keyboard in the header. As a result, standard page loads are now 67KB lighter. Retina Display users will experience load times that are 11KB lighter.


Resident Professor of Alternative Methodology
Faculty of Macintosh Restorations & Modifications - "It works, let's fix it!"

Offline

Board footer

About ThinkClassic

ThinkClassic specialises in the maintenance, repair, restoration and modification of Vintage Apple and Macintosh computers. Ask questions and find answers about classic Apple desktops, laptops, accessories and peripherals.