[Systems] certificates / SNI, SSO / passwords (was: Re: [Fwd: Re: Server Name Indication - Wikipedia, the free encyclopedia])

[Sascha Silbe]

Excerpts from Bernie Innocenti's message of Mon Aug 23 15:05:08 +0200 2010:

> To me, it's not a matter of money--we're talking about $50/year for a
> wildcard certificate, quite affordable.
I suppose those $50 only cover *.sugarlabs.org, not a combined certificate
for *.sugarlabs.org + *.ole.org.

> It's a matter of principle: I'd
> rather not use my money to promote the SSL extortion lobby.
+1 in general, though I'd weigh this against other priorities.

> We actually have a dozen free IPv4 addresses, but they're available to
> treehouse, not sunjammer. The two machines are in the same network, but
> firewall rules on the dom0 prevent sunjammer from using anything but its
> own IP.
Judging from the Munin stats, moving the web services from sunjammer to
(a VM on) treehouse shouldn't cause any load issues. We could start with
Trac once we got 0.12 fully working (I recently updated the
TicketModeratorPlugin, but didn't receive any email from it so will have
to investigate).

> > b) maybe even do an automatic upgrade to https if the User-Agent
> >    indicates a browser version that should have SNI support. This
> >    would especially be useful for password-based login pages (i.e.
> >    wiki and Trac).
> 
> You mean an http redirect?
Exactly.

> Can Apache do this without employing mod_perl?
This should be easy enough to do using mod_rewrite, using a combination
of the often-used "browser sniffing" / "browser dependant content" [1,3]
and http-to-https-redirect for login pages [2] patterns.
Something like this should do the trick (untested):

# Redirect from HTTP to HTTPS if we know the browser supports SNI.
# All browsers running on Windows XP don't support SNI, so we need to
# filter them out in all of the rules.
RewriteCond %{HTTPS} !=on
# Firefox 2.0+
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/([5-9]|[1-9][0-9]).*(Windows\ NT\ ([6-9]|[1-9][0-9])|X11|Mac\ OS).*Gecko [ornext]
# IE 7+
RewriteCond %{HTTP_USER_AGENT} MSIE\ ([7-9]|[1-9][0-9]).*Windows\ NT\ ([6-9]|[1-9][0-9]) [ornext]
# Opera 8+ 
RewriteCond %{HTTP_USER_AGENT} Opera\ ([89]|[1-9][0-9]).*(Windows\ NT\ ([6-9]|[1-9][0-9])|X11|Mac\ OS) [ornext]
# Google Chrome 5.3.345+
# last rule, so no [ornext]
RewriteCond %{HTTP_USER_AGENT} (Windows\ NT\ ([6-9]|[1-9][0-9])|X11|Mac\ OS).*Chrome\ ([6-9]|5\.[1-9]|5\.0\.[1-9][0-9][0-9][0-9]|5\.0\.[4-9][0-9][0-9]|5\.0\.3[5-9][0-9]|5\.0\.34[5-9])
RewriteRule ^/login https://%{SERVER_NAME}/login$1 [redirect,last]


> > On a related note, would it be possible to get a single additional
> > IPv4 address on sunjammer for SSO usage (see other thread)?
> I could ask the the FSF to change the rules, but I'd rather not bother
> them at this time because I'm behind on a bunch of work I'm supposed to
> do for them :-)
<g>

[Trac, wiki]
> These are low-security services, I wouldn't bother to protect them
> further with SSL. What would a potential eavesdropper do with my Trac
> identity? Append angry comments to tickets in my name? I don't need any
> help with this :-)
SSO / "automatic login" is about convenience, not (just) security.
I can't resist taking the bait, though: You're a Trac administrator, so
anyone stealing your password or session has full rights. Random tickets
could be deleted, attachments modified and so on, all without any
notification email being sent (because only new ticket comments get
distributed, nothing else). Would our current backup strategy be able
to cope with that, especially if we take a few days or even weeks to
notice what happened? I doubt it.

> However, if we employ the wiki identity for CAS--which is exactly what
> alsroot has been working on--the wiki password would start to become
> quite serious: you could use it to build and distribute binary packages
> in the name of someone else. In this case, I'd feel safer with SSL by
> default.
The problem isn't that the password is sent as plain text, but that a
password is used to protect something valuable. Most humans can't
remember more than a few "good" passwords and they won't bother doing
so for some build service or shell account.

Sascha

[1] http://httpd.apache.org/docs/current/misc/rewriteguide.html section "Browser Dependent Content"
[2] http://www.whoopis.com/howtos/apache-rewrite.html
[3] http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteCond
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100826/25bd58da/attachment.pgp