pantz.org banner
Pantz.org now with https
Posted on 11-10-2014 00:26:04 UTC | Updated on 11-10-2014 00:39:02 UTC
Section: /software/http/ | Permanent Link

It is my pleasure to announce that Pantz.org can now be accessed in a more secure manner. Why add this now? What needed to happen to make this a viable option? Why can't some users access the secure site? Read on to find out.

Why not offer secure connections sooner?

The major reason I did not switch over to https sooner was that Google needed to support secure connections to their Ad servers. Late last year Google finally added the ability to serve up their Ads via SSL/TLS. I was not going to offer access to my site while the Ads could only be served up via standard http.

If you try to serve up external content (Ads) from your secure site, and that content is unencrypted you get nasty messages from browsers about the site having mixed content. The messages are very intrusive and ugly. By Google switching Adsense to https that ugliness goes away. All connections from the site could now go out securely via SSL/TLS.

The second reason I decided to do it was Google starting to use HTTPS as a ranking signal. I know these reasons are very Google centric, but the Ads pay for the site.

What type of cert did you get?

I wanted to choose one of the most secure types of certs I could for use on Pantz.org. This lead me to choose a ECDSA (Elliptic Curve Digital Signature Algorithm) with a SHA-256 certificate signing request. I got the cert from Comodo. Comodo offers ECDSA certificates signed by the Elliptical Curve DSA all the way up to the built in, browser trusted, Comodo ECC Root Certificate. This makes Comodo one the only CA's to offer a pure ECC certificate chain.

How did you get this whole mess configured?

That was the easy part. Our friends over at Calomel.org have a great tutorial on the how to perform the whole process. It's so indepth I don't even need to do a tutorial here like normal.

Why can't I get to your secure site

https has evolved over the years. SSL v2 came out in 1995. V3 came out in 1996. The successor to SSL is TLS. TLS 1.0 was defined in RFC 2246 in January 1999. TLS 1.1 was defined in 2006. TLS 1.2 was defined in 2008. Over the years weakness have shown up in the early SSL v2-3 protocols. These weaknesses make attacks more viable. Because of these weaknesses I have decided to disable SSL connections to Pantz.org.

Ciphers have also had attacks levied against them over the years. Some of cipher types have shown up with weaknesses are RC4 and DES. Because of these weaknesses I have disabled the use of DES and RC4 on Pantz.org.

By turning off SSL connections and not using RC4 or DES as an encryption type there are some people that will not be able to get to the secure Pantz.org site. The majority of people that will have this issue are people are using old Operating Systems and old browsers. Mainly this will likely be people trying to use Internet Explorer 6 to access the secure site or people trying to access the site with Windows XP on certain configurations. There are a few combinations of Windows XP and some browsers that work with TLS 1.0 (IE 8 and WinXP SP3), but many combos just don't. Even MS does not support XP anymore so upgrade.

Don't worry you still have http

There is nothing on Pantz.org needs a secure connection, so if you have issues connecting to the secure site just use the http version. It's as simple as that.

Reddit!

Related stories

Quick and dirty web servers
Posted on 05-13-2011 01:18:41 UTC | Updated on 07-20-2016 23:11:59 UTC
Section: /software/http/ | Permanent Link

Have you ever needed a way to easily transfer some files to someone or just let them browse through an index of some of the files on your hard drive? It not worth setting up a full fledged enormous web server like Apache or Nginx or Lighttpd. Instead I used to use thttpd to do this. I recently found out how to setup a web server that serves out an index of files from the directory it's run from with a Python one-liner.

# python 2
python -m SimpleHTTPServer 8080

# python 3
python3 -m http.server

# ruby
ruby -run -e httpd -- -p 8001 .

The Python lines will run a simple web server on port 8080 and serve out an index page of files relative to the current directory you ran the command from. It will check for index.html or index.htm and if found will serve it out. If it's not found it just defaults to serving a directory index. You can read more about the module here

If you wanted serve out files but use https (SSL/TLS) instead then you could do it with OpenSSL. The difference with the OpenSSL web server compared to the Python web server is that OpenSSL will not give you a directory index from the directory you start the server from. You will have to request each file directly. You also need to execute 2 lines to start the OpenSSL webserver. One to generate the web server cert and one to start the server. Still it's very easy.

# Generate the fake cert in the current dir. Press enter to answer all questions.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

# Start the server on port 4433 (default) using the cert we just made
openssl s_server -cert mycert.pem -accept 4433 -WWW

This will serve out files relative to the current directory. Since this is supposed to be quick and dirty the security about it is not that great but the connection is totally encrypted so nothing will be sent in plain text over the connection. With the lines above the key generated is in the same directory that we are serving data from so you should move that to a path outside of the web server. There are a bunch of other options for OpenSSL's s_server. Check out the man page with "man s_server".

I use a firewall to whitelist IP's from trusted people since you can't easily password protect these simple http(s) servers. Just a suggestion.

Reddit!

Related stories

Check http with telnet
Posted on 07-25-2001 00:13:00 UTC | Updated on 07-25-2001 00:13:00 UTC
Section: /software/http/ | Permanent Link

This is how to connect to a HTTP server using telnet. All commands are in bold. The [ENTER] below means press the enter key. Note that the enter key always needs to be hit twice after your done typing the last command. The [ENTER] below means hit the enter key.

Connect to the default website.

telnet example.org 80

You should recieve a reply to the effect of:

Trying 192.168.0.1...
Connected to example.org.
Escape character is '^]'.

Now we can send the get command to retrieve a page. Hit the enter key ([ENTER]) twice after the command.

GET / HTTP/1.0
[ENTER]
[ENTER]

Connect to a website that uses virtual hosts.

telnet example.org 80

You should recieve a reply to the effect of:

Trying 192.168.0.1...
Connected to example.org.
Escape character is '^]'.

Now we can send the get and host commands to retrieve a page. Hit the enter key ([ENTER]) twice after the host command.

GET / HTTP/1.1
[ENTER]
Host: www.example.org
[ENTER]
[ENTER]

Connect to a webserver and just get header info.

telnet example.org 80

You should recieve a reply to the effect of:

Trying 192.168.0.1...
Connected to example.org.
Escape character is '^]'.

Now we can send the head command to retrieve a page. Hit the enter key ([ENTER]) twice after the command.

HEAD / HTTP/1.0
[ENTER]
[ENTER]

Reddit!

Related stories


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

encryption

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

gpg

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

spotify

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemd

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib