anything

Author Topic: HTTPS / SSL  (Read 1010451 times)

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
HTTPS / SSL
« Reply #15 on: October 21, 2005, 02:04:23 PM »
A quick thought: Is is possible to digitally sign an xpi file?  If so, then the xpi download doesn't need SSL.  The same idea applies to the Konfabulator Widget, too.  Ideally, the only portion of the site that would need SSL is the online version.

The other plus of digitially signing is that mirrors (e.g. Mozilla's extension site) would not need SSL, nor would there be any concern of the xpi being altered during the mirroring process.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #16 on: October 21, 2005, 07:52:21 PM »
Quote
mod_rewrite skills you say? I might be able to offer some help.
I decided not to PM the rules but instead post them here. Here are the rules I wrote to redirect all traffic from HTTP to HTTPS:

Code: [Select]
RewriteCond %{SERVER_PORT} =80  [OR]
RewriteCond %{HTTP_HOST}   !^passwordmaker\.org$ [NC]
RewriteRule ^.*$  https://passwordmaker.org%{REQUEST_URI} [L,R=301]
But as breyed points out, we only need four pages to redirect to HTTPS. Those pages are:I also need a rule to redirect www.passwordmaker.org to passwordmaker.org and, infact, *.passwordmaker.org to passwordmaker.org. I thought this would do it:

Code: [Select]
RewriteCond %{HTTP_HOST}   !^passwordmaker\.org$ [NC]
RewriteRule ^.*$   http://passwordmaker.org%{REQUEST_URI} [L,R=301]

Quote
A quick thought: Is is possible to digitally sign an xpi file?
It is possible but quite involved and something I'm not willing to tackle right now. If you like, I can post MD-5 and/or SHA-1 hash values for the downloads. I'd also like to point out that http://addons.mozilla.org does now redirect to https://addons.mozilla.org, although in the past this didn't always occur. Perhaps some of the mirrors didn't have their mod_rewrite rules synchronized.

Thanks for any assistance with the mod_rewrite rules.

-Eric
« Last Edit: October 21, 2005, 07:54:42 PM by Eric H. Jung »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1154
  • Programmer
HTTPS / SSL
« Reply #17 on: October 25, 2005, 03:24:29 PM »
I'll look into this. If you don't get a response from me tomorrow, there's a good chance I'm yelling at my phone company Thursday for not having my phone on at home by the deadline they told me last week. (Tomorrow will mark two weeks without phone service)
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #18 on: October 25, 2005, 03:46:40 PM »
Thanks. Add
http://passwordmaker/ie.html to the list.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1154
  • Programmer
HTTPS / SSL
« Reply #19 on: October 25, 2005, 03:50:08 PM »
Was planning on it. Might make it easy to add any url in the future if I do it right.
"I'm not drunk, just sleep deprived."

LkonKbd

  • Guest
HTTPS / SSL
« Reply #20 on: October 25, 2005, 08:41:26 PM »
Quote
Thanks. Add
http://passwordmaker/ie.html to the list.
"Eirc,"

Is this a HEADS-UP that IE is next?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #21 on: October 25, 2005, 10:19:09 PM »
A beta version of the IE edition was released last night. See here and here.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1154
  • Programmer
HTTPS / SSL
« Reply #22 on: October 27, 2005, 02:53:33 PM »
I made it, and it only redirects the pages you want to HTTPS and the rest to HTTP. You just need to keep the list up to date your self. And you can remove the '^/' bit if it doesn't work (my dev server didn't have those files in the root, but in a subdirectory, so I had to test without the '^/' bit anyway)

Code: [Select]
RewriteEngine on
#Domain redirect
RewriteCond %{HTTP_HOST}   !^passwordmaker\.org$ [NC]
RewriteRule .*   http://passwordmaker\.org%{REQUEST_URI} [L,R=301]

# Redirects to HTTPS
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/installation.html$ [OR]
RewriteCond %{REQUEST_URI} ^/installation2.html$ [OR]
RewriteCond %{REQUEST_URI} ^/passwordmaker.html$ [OR]
RewriteCond %{REQUEST_URI} ^/konfabulator.html$ [OR]
RewriteCond %{REQUEST_URI} ^/ie.html$
RewriteRule .* https://passwordmaker\.org%{REQUEST_URI} [L,R=301]

# Redirects the pages that shouldn't be HTTPS to HTTP
# Note the lack of [OR]
RewriteCond %{SERVER_PORT} !80
RewriteCond %{REQUEST_URI} !^/installation.html$
RewriteCond %{REQUEST_URI} !^/installation2.html$
RewriteCond %{REQUEST_URI} !^/passwordmaker.html$
RewriteCond %{REQUEST_URI} !^/konfabulator.html$
RewriteCond %{REQUEST_URI} !^/ie.html$
RewriteRule .* http://passwordmaker\.org%{REQUEST_URI} [L,R=301]
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #23 on: October 27, 2005, 03:01:33 PM »
Thanks. Unfortunately, the passwordmaker.org ISP has not been able to install the SSL certificates such that the security warning goes away in FF/Mozilla/Netscape. It does not appear in IE, though. Give it a try:

https://passwordmaker.org

Try it in FF/Mozilla/Netscape... see the security warning, then try in IE (if you have it). You won't see the security warning.

Until that warning goes away, it's unlikely I'll put the mod_rewrite rules in place. And given that the ISP has essentially 'given up'...it's unlikely to happen at all. If anyone else wants to take up the fight with them, I'd be glad to hand over the reigns. I'm completely burned out dealing with them.
« Last Edit: October 27, 2005, 03:08:52 PM by Eric H. Jung »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1154
  • Programmer
HTTPS / SSL
« Reply #24 on: October 27, 2005, 03:25:33 PM »
Where did you get the Cert fromificate from? Firefox doesn't know it.
"I'm not drunk, just sleep deprived."

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
HTTPS / SSL
« Reply #25 on: October 27, 2005, 04:20:26 PM »
To put the security issue with PasswordMaker in light of the broader topic of Firefox security security, here is an old, but still relavent article on Firefox security. Check out the follow-up, too.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #26 on: October 27, 2005, 05:17:13 PM »
Quote
Where did you get the Cert fromificate from? Firefox doesn't know it.
Starfield Tech. There's a discussion going on here about this. Someone else claims it works fine for him in FF 1.0.7.
« Last Edit: October 27, 2005, 05:17:52 PM by Eric H. Jung »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #27 on: October 27, 2005, 09:19:15 PM »
It should be working now. Give it a try and let me know: https://passwordmaker.org

LkonKbd

  • Guest
HTTPS / SSL
« Reply #28 on: October 27, 2005, 09:27:43 PM »
"Eric,"

It works fine for me to access the site for downloading.  I went to https://passwordmaker.org/ie.html .

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
HTTPS / SSL
« Reply #29 on: October 28, 2005, 02:23:34 AM »
Works great now.  No warning message about accepting the certificate.
It is impossible to create a fool-proof system, because fools are ingenious.

PasswordMaker Forums

HTTPS / SSL
« Reply #29 on: October 28, 2005, 02:23:34 AM »