mersenneforum.org

mersenneforum.org (https://www.mersenneforum.org/index.php)
-   PrimeNet (https://www.mersenneforum.org/forumdisplay.php?f=11)
-   -   Primenet Server - Official Maintenance Thread (https://www.mersenneforum.org/showthread.php?t=21648)

Mark Rose 2017-01-19 20:33

Who knows what the effect may be on the various spiders that connect to the HTTP site.

Dubslow 2017-01-20 06:48

[QUOTE=Mark Rose;451233]Who knows what the effect may be on the various spiders that connect to the HTTP site.[/QUOTE]

Okay, maybe "force" was wrong -- is there a way to inquire a new connection if it is capable of switching, and if so, to do so?

Mark Rose 2017-01-20 21:40

[QUOTE=Dubslow;451250]Okay, maybe "force" was wrong -- is there a way to inquire a new connection if it is capable of switching, and if so, to do so?[/QUOTE]

The best way may be with a script at the top of the document. The spiders probably aren't executing JS.

Madpoo 2017-01-21 03:10

[QUOTE=Mark Rose;451233]Who knows what the effect may be on the various spiders that connect to the HTTP site.[/QUOTE]

That's the biggest concern. Regular web browsers won't be affected, except for the warm fuzzies they get from seeing that it's a secure connection.

I locked down the cipher suite to make sure that when we go secure, we're not doing it half-heartedly. That means obvious things like disabling SSLv3 and basically going with TLS and using only the ciphers with forward secrecy. The SSL Labs test gives it an A and the downside is if you're from the stone age and visiting with Windows XP and IE 6, you're out of luck. All other modern-ish browsers (and I think even the old funky Firefox 3.x that a certain someone prefers) should be okay.

But yeah... the people who use scripts to crawl result pages or collect the reports... if I start redirecting http -> https (which is easy to do, by the way), depending on how they did their script it may ignore a 301/302 redirect, or it may not be setup to work with SSL.

I know curl by itself would need a list of trusted CAs (or use the -k option to ignore cert issues, which isn't the best idea). I really don't know what people are using to crawl the site with so we'll probably just have to give them time to test it and then make the switch.

I started a new thread devoted to discussing the SSL switch so I'll be monitoring things there.

Prime95 2017-01-21 04:53

Most importantly, be sure the prime95 client which communicates using http is not affected by any changes.

Madpoo 2017-01-24 03:54

[QUOTE=Prime95;451309]Most importantly, be sure the prime95 client which communicates using http is not affected by any changes.[/QUOTE]

Good point. The client communicates with v5.mersenne.org so it's fortunately separate from the website.

With that said, it might be a good future project to get new clients to talk over SSL as well, although it's probably not critical. Passwords aren't passed along using the API (as far as I'm aware).

At any rate, SSL on the website should leave the Prime95 clients alone. The biggest concerns I had were with GPU72 and Misfit since (not sure on the details) they can proxy client activity and then talk to the manual assignment/result pages, or something like that. I'm fuzzy on just how those worked, thus my concern.

It's not terribly difficult to exclude the manual assign/result pages from being redirected, if there's still a concern about that.

retina 2017-01-24 05:24

[QUOTE=Madpoo;451308]All other modern-ish browsers (and I think even the old funky Firefox 3.x that a certain someone prefers) should be okay.[/QUOTE]I never have any trouble with other sites, so unless you have done something particularly restrictive then it should be fine.

chalsall 2017-01-24 15:48

[QUOTE=Madpoo;451471]Passwords aren't passed along using the API (as far as I'm aware).[/QUOTE]

That is correct.

The worst someone could do who was "sniffing the plain-text traffic" would be to replay assignment requests. If they reverse engineered the client's "secret sauce" security code they would also be able to unassign assignments.

But really, that's an exceptionally unlikely scenario. Someone would have to really hate someone else to get "in the middle", and also invest a great deal of time and effort. And even then they wouldn't be able to log into Primenet's web interface as their target's user (they would have the Username, but not the Password).

Madpoo 2017-01-26 15:51

[QUOTE=retina;451476]I never have any trouble with other sites, so unless you have done something particularly restrictive then it should be fine.[/QUOTE]

Give it a try then: [url]https://www.mersenne.org[/url]

If "even Retina" can access it, then I think we can consider it effectively 100% browser compatible. :smile:

henryzz 2017-01-26 15:57

[QUOTE=Madpoo;451603]Give it a try then: [URL]https://www.mersenne.org[/URL]

If "even Retina" can access it, then I think we can consider it effectively 100% browser compatible. :smile:[/QUOTE]
IE6? Was very popular once. I suppose you should be used to webpages not working on IE6 by now.

retina 2017-01-27 01:39

[QUOTE=Madpoo;451603]Give it a try then: [url]https://www.mersenne.org[/url]

If "even Retina" can access it, then I think we can consider it effectively 100% browser compatible. :smile:[/QUOTE]Okay, it looks as though you have effectively achieved 100% browser compatibility. :tu:


All times are UTC. The time now is 02:45.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.