Re: [members-discuss] [ncc-announce] [news] RIPE NCC website becoming HTTPS-only
(cc members-discuss) Mihnea-Costin Grigore <mgrigore@ripe.net> wrote:
Dear colleagues,
We plan to make the www.ripe.net website available over HTTPS only as of 5 February 2015. We believe this change will provide a more secure, efficient website for our users.
The www.ripe.net website has been available over HTTPS for some time already, and we are now making it HTTPS-only for two reasons: to improve the website's security, and because we plan to integrate RIPE NCC Access (our single sign-on system) with www.ripe.net as part of our larger website redesign project, which requires us to use HTTPS throughout the site.
Some observations spring to mind. 1. www.ripe.net is (as far as I can see - and I could be wrong - please correct me) primarily an information site, that is it provides publically available information to everyone/anyone. Therefore it does not largely transmit anything that needs to be secure and encrypted over SSL. 2. There have been far more security holes in https/TLS/SSL of recent than plain HTTP as far as I can tell. Therefore I would say that https is less secure unless you have sensitive information to transport. If my assertion (1) is correct then it would not seem beneficial to SSL proect www.ripe.net - indeed it may make it less secure. 3. Whilst I agree wholeheartedly that SSO is a good plan, in this case separation of the two different entities (information ie. www.ripe.net and admin ie. LIR portal) seems like a good idea. Of course (3) may break the desire for SSO. Or this may not really matter and no-one may really care. :) Regards, -Paul- -- Paul Civati <paul(at)racksense.com> 0870 321 2855 Rack Sense Ltd - Managed Service Provider - www.racksense.com
Dear colleagues I agree with Paul and we have a problem with HTTPS in Iran. That's too slow here. But because of this: " because we plan to integrate RIPE NCC Access" They have to switch into HTTPS. On Thu, Jan 22, 2015 at 7:18 PM, Paul Civati <paul@racksense.com> wrote:
(cc members-discuss)
Mihnea-Costin Grigore <mgrigore@ripe.net> wrote:
Dear colleagues,
We plan to make the www.ripe.net website available over HTTPS only as of 5 February 2015. We believe this change will provide a more secure, efficient website for our users.
The www.ripe.net website has been available over HTTPS for some time already, and we are now making it HTTPS-only for two reasons: to improve the website's security, and because we plan to integrate RIPE NCC Access (our single sign-on system) with www.ripe.net as part of our larger website redesign project, which requires us to use HTTPS throughout the site.
Some observations spring to mind.
1. www.ripe.net is (as far as I can see - and I could be wrong - please correct me) primarily an information site, that is it provides publically available information to everyone/anyone. Therefore it does not largely transmit anything that needs to be secure and encrypted over SSL.
2. There have been far more security holes in https/TLS/SSL of recent than plain HTTP as far as I can tell. Therefore I would say that https is less secure unless you have sensitive information to transport. If my assertion (1) is correct then it would not seem beneficial to SSL proect www.ripe.net - indeed it may make it less secure.
3. Whilst I agree wholeheartedly that SSO is a good plan, in this case separation of the two different entities (information ie. www.ripe.net and admin ie. LIR portal) seems like a good idea.
Of course (3) may break the desire for SSO.
Or this may not really matter and no-one may really care. :)
Regards,
-Paul-
-- Paul Civati <paul(at)racksense.com> 0870 321 2855 Rack Sense Ltd - Managed Service Provider - www.racksense.com
---- If you don't want to receive emails from the RIPE NCC members-discuss mailing list, please log in to your LIR Portal account and go to the general page: https://lirportal.ripe.net/general/
Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses.
Hi: Ripe website are quite slow in some remote areas, I had quite bad experience of loading time in some area of Africa, Asian, and Middle East. But as not sure if it has to do with any specific technology or just a general routing issue. Lu
On 2015年1月22日, at 下午5:24, Shahin Gharghi <ripe@rased.ir> wrote:
Dear colleagues
I agree with Paul and we have a problem with HTTPS in Iran. That's too slow here. But because of this: " because we plan to integrate RIPE NCC Access" They have to switch into HTTPS.
On Thu, Jan 22, 2015 at 7:18 PM, Paul Civati <paul@racksense.com> wrote: (cc members-discuss)
Mihnea-Costin Grigore <mgrigore@ripe.net> wrote:
Dear colleagues,
We plan to make the www.ripe.net website available over HTTPS only as of 5 February 2015. We believe this change will provide a more secure, efficient website for our users.
The www.ripe.net website has been available over HTTPS for some time already, and we are now making it HTTPS-only for two reasons: to improve the website's security, and because we plan to integrate RIPE NCC Access (our single sign-on system) with www.ripe.net as part of our larger website redesign project, which requires us to use HTTPS throughout the site.
Some observations spring to mind.
1. www.ripe.net is (as far as I can see - and I could be wrong - please correct me) primarily an information site, that is it provides publically available information to everyone/anyone. Therefore it does not largely transmit anything that needs to be secure and encrypted over SSL.
2. There have been far more security holes in https/TLS/SSL of recent than plain HTTP as far as I can tell. Therefore I would say that https is less secure unless you have sensitive information to transport. If my assertion (1) is correct then it would not seem beneficial to SSL proect www.ripe.net - indeed it may make it less secure.
3. Whilst I agree wholeheartedly that SSO is a good plan, in this case separation of the two different entities (information ie. www.ripe.net and admin ie. LIR portal) seems like a good idea.
Of course (3) may break the desire for SSO.
Or this may not really matter and no-one may really care. :)
Regards,
-Paul-
-- Paul Civati <paul(at)racksense.com> 0870 321 2855 Rack Sense Ltd - Managed Service Provider - www.racksense.com
---- If you don't want to receive emails from the RIPE NCC members-discuss mailing list, please log in to your LIR Portal account and go to the general page: https://lirportal.ripe.net/general/
Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses.
---- If you don't want to receive emails from the RIPE NCC members-discuss mailing list, please log in to your LIR Portal account and go to the general page: https://lirportal.ripe.net/general/
Click on "Edit my LIR details", under "Subscribed Mailing Lists". From here, you can add or remove addresses.
Hi!
We plan to make the www.ripe.net website available over HTTPS only as of 5 February 2015. We believe this change will provide a more secure, efficient website for our users.
1. www.ripe.net is (as far as I can see - and I could be wrong - please correct me) primarily an information site, that is it provides publically available information to everyone/anyone. Therefore it does not largely transmit anything that needs to be secure and encrypted over SSL.
In recent month there was debate (and published papers from certain three-letter-agencies) on real attacks which where done by hi-jacking unencrypted surf traffic to inject infection code. The goal is to attack the clients surfing to a certain site. Clients like desktop systems of system and network admins. Belgacom case etc. This and the very recent discussion on key escrow that pops up in Europe after 'Charlie Hebdo' makes the case to basically 'encrypt everything'. If this causes issues with some service regions, it's useful that we learn more about those issues. Maybe afterwards HTTPS can be disabled for certain geo-located IP ranges. I applaud RIPE to go this extra step with HTTPS-only. -- MfG/Best regards, Kurt Jaeger 5 years to go ! Dr.-Ing. Nepustil & Co. GmbH fon +49 7123 93006-0 pi@nepustil.net Rathausstr. 3 fax +49 7123 93006-99 72658 Bempflingen mob +49 171 3101372
On 22/01/2015 17:47, Kurt Jaeger wrote:
I applaud RIPE to go this extra step with HTTPS-only.
yep, good move. approve. Nick
Hello Paul, Dne 22.1.2015 v 16:48 Paul Civati napsal(a):
2. There have been far more security holes in https/TLS/SSL of recent than plain HTTP as far as I can tell. Therefore I would say that https is less secure unless you have sensitive information to transport.
Do you have any citation on this? Given the fact that HTTPS is plain HTTP with added TLS encryption layer, I cannot see any _technical_* way it could be less secure than plain HTTP. All recent security holes discovered in TLS could have been used only to view the plaintext, ie. the same text that HTTP transmits openly. *) OK there may be a social part of the problem that some well educated users could share some confidental information using HTTPS but not HTTP. But it's not the case here since as you pointed out, www.ripe.net is mainly informational website with almost no personal or confidental data. Best regards, Ondřej Caletka CESNET
Den 23.01.2015 09:24, skrev Ondřej Caletka:
Hello Paul,
Dne 22.1.2015 v 16:48 Paul Civati napsal(a):
2. There have been far more security holes in https/TLS/SSL of recent than plain HTTP as far as I can tell. Therefore I would say that https is less secure unless you have sensitive information to transport. Do you have any citation on this?
Not trying to start an off-topic discussion, but: If you browse the web for security vulnerabilities in TLS/encryption-software you will clearly find a lot of matches. Some even extremely critical. Therefore, any service imlementing encryption will have more security holes than if it did not implement encryption. This is unquestionable. When it comes to being less secure, I agree that it would be correct to state that a non-sensitive site will be less secure with encryption enabled simply because there is no security gain in supporting encryption - but you do however get added security holes. In the mail from RIPE they say that they are adding SSO, so the site will eventually become sensitive and therefore need TLS.
participants (7)
-
Jørgen Hovland -
Kurt Jaeger -
Lu -
Nick Hilliard -
Ondřej Caletka -
Paul Civati -
Shahin Gharghi