Author Topic: Is SSL important to you? (Read 8628 times)

Eric H. Jung · « **on:** February 13, 2006, 04:52:31 AM »

Hi,

The ISP which hosts passwordmaker.org is offering, for a limited time, lifetime plans for $150.00. I've been considering doing this because the break-even point of the investment is just 2.5 years. I certainly expect PasswordMaker to be around longer than that.

However, lifetime plans do not permit the use of SSL certificates. I'd very much like to get rid of the recurring $30/year cost of an SSL certificate while capping ISP costs, too. How important is HTTPS for you on this site?

Some have suggested we switch passwordmaker entirely to SourceForge (which is free, but doesn't offer SSL either). I like this idea, but do not have the time or energy to devote to moving the whole website to another ISP.

Thoughts?

major4579 · « **Reply #1 on:** February 13, 2006, 02:15:26 PM »

Eric,

Excuse my ignorance - but were does SSL come into play on this site? I really don't see the need for a secure connection so save yourself the money.

Miquel 'Fire' Burns · « **Reply #2 on:** February 13, 2006, 02:30:17 PM »

The mobile edition is the only reason we really need it I believe. We only have SSL because people thought the online version sent the password over the web.

Eric H. Jung · « **Reply #3 on:** February 13, 2006, 03:22:59 PM »

Quote

We only have SSL because people thought the online version sent the password over the web

Right, but some others wanted it to prevent man-in-the-middle attacks of the download section. That is, if the domain name were hijacked, the attacker could post his own versions of the software.

But now that AMO uses SSL when transferring extensions, you could always go there to at least get that version.

Quote

The mobile edition is the only reason we really need it I believe

Yes, but since the source is provided as a free download, you could always purchase your own SSL certificate and run it on your own server.

Major's opinion is pretty clear; miquelfire's isn't so clear; anyone else?

Miquel 'Fire' Burns · « **Reply #4 on:** February 13, 2006, 04:44:55 PM »

The reason my opion is clear is because I really don't have one about this.

morguns · « **Reply #5 on:** February 13, 2006, 04:58:26 PM »

i say lose the ssl for now. if folks want ssl, it could be a pay-for service (when/if that is implemented).

Quote

Right, but some others wanted it to prevent man-in-the-middle attacks of the download section. That is, if the domain name were hijacked, the attacker could post his own versions of the software.

why not just sign the binaries with gnupg?

Eric H. Jung · « **Reply #6 on:** February 13, 2006, 10:47:35 PM »

Quote

why not just sign the binaries with gnupg?

This has been suggested before and I avoided it due to laziness. Looks like this is the way to go, though. I'll drop the SSL.

I spent some time looking to see how difficult it is to get things going on SourceForge. I'm no unix guru, but was able to get this to work (executing on passwordmaker.org):

Code: [Select]

rsync -v -a -e ssh /home/ejung/public_html/ [email protected]:/home/groups/p/pa/passwordmaker/htdocs/This mirrored all the content on http://passwordmaker.org to http://passwordmaker.sourceforge.net, but a lot of it is broken because of absolute directory paths; e.g., almost every file has this at the top and bottom:

Code: [Select]

<?php include "/home/ejung/public_html/includes/header.php"; ?>
...
...
...
<?php include "/home/ejung/public_html/includes/footer.php"; ?>

but on sourceforge, /home/ejung/public_html/includes/ should be /home/groups/p/pa/passwordmaker/htdocs/includes/. I know there are powerful tools like sed which could probably do a global-search-and-replace for strings like this, but I've got no idea how to use them. It took me a full day just to figure out how to get rsync to work.

Anyone have any experience with this? I'd be willing to grant you full access to the sourceforge site, or, if you'd rather not do it personally, you could teach me what to do.

-Eric
p.s. i tried making /home/ejung/public_html/includes/ a symbolic link, but it seems symbolic links cannot point to directories (or vice-versa, whatever :))

morguns · « **Reply #7 on:** February 13, 2006, 11:44:29 PM »

if the number of files isn't too crazy-large, i could do a global search/replace like that with jedit. if we're talking hundreds of files in lots of subfolders, sed is definitely the way to go. it's been a while since i've played with sed, but i think i could muster up a cmd line to do the job.

Eric H. Jung · « **Reply #8 on:** February 14, 2006, 04:20:34 AM »

There appear to be 343 files, but many of them are binaries (JPGs, XPIs, ZIPs, etc.).

morguns · « **Reply #9 on:** February 14, 2006, 04:25:17 AM »

hey eric, i think i have a solution to your search and replace problem (i basically stole it :). if it's not spot-on, it's probably just an extra or missing forward slash or back slash; i based the script on what you put in your post.

save the following to a file on the server, chmod it, and run it. PLEASE make sure you back everything up in case it leaves the rails. and it would also be a good idea to make sure you're not in the root dir :) and being the paranoid person that i am, if i were doing it i would test it on a couple of test files before turning it loose on public_html.

the script will only deal with .php files. if you have .htm, .html, etc., just substitute whatever you need in place of 'php' in the find command and run it again.

note: the sed command is on ONE line. it should be fine as is, but if you break it up to cover multiple lines you'll have to add the continuation character to the ends of the short lines. i didn't test it like that tho. let us know how it goes :)

Code: [Select]

#! /bin/sh
find . -type f -name '*.php' -print | while read i
do
    sed 's/\/home\/ejung\/public_html\/includes\//\/home\/groups\/p\/pa\/passwordmaker\/htdocs\/includes\//g' $i > $i.tmp && mv $i.tmp $i
done

Eric H. Jung · « **Reply #10 on:** February 14, 2006, 04:48:27 AM »

Thanks. This is what I get:

Quote

./mod: line 6: syntax error: unexpected end of file

(I named the file 'mod')

By the way, my 343 file estimate isn't correct... it's a lot less. I should have done a grep but don't remember the args to use to count number of lines in files which match a regex.

Anyway, are you interested in giving this a whirl? There's nothing to break because the site doesn't work now anyway--give it a try at http://passwordmaker.sourceforge.net. If you overwrite something, I can just do another rsync.

Do you have a sourceforge account? Miquel, what was your sourceforge username again?

Miquel 'Fire' Burns · « **Reply #11 on:** February 15, 2006, 03:49:17 AM »

Javs

And why use absolute paths anyway? They make it a pain to update later on.

Eric H. Jung · « **Reply #12 on:** February 15, 2006, 04:05:25 AM »

Quote

And why use absolute paths anyway? They make it a pain to update later on

Because I'm stupid. Also, I wasn't the only one who wrote the site--Kristen did, as well as Quixin and Romeo. Had I written the entire thing, it would have been XHTML-compliant and had no HTML tables.

Miquel, "javs" now has full access to passwordmaker.sourceforge.net. Shell access is:

shell.sourceforge.net:22
home dir: /home/groups/p/pa/passwordmaker

morguns · « **Reply #13 on:** February 15, 2006, 04:10:50 AM »

Quote

Because I'm stupid.

LOL

PasswordMaker Forums · « **Reply #13 on:** February 15, 2006, 04:10:50 AM »

Author Topic: Is SSL important to you? (Read 8628 times)

PasswordMaker Forums