Board upgrade 1800-1900hrs 07/02/2008

Post new Events, Trackdays, etc - then discuss in the sub-forums below
User avatar
campbell
Posts: 17191
Joined: Sat Mar 25, 2006 12:42 pm
Location: West Lothian
Contact:

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by campbell » Thu Jan 08, 2015 4:23 pm

I was only joking about Tut's posts, btw
http://www.rathmhor.com | Coaching, training, consultancy

User avatar
tut
Barefoot Ninja
Posts: 22975
Joined: Tue Mar 15, 2005 5:53 pm
Location: Tut End, Glen of Newmill

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by tut » Thu Jan 08, 2015 5:08 pm

They fill in the blank periods Campbell, i.e. weekends when you lot are not working, which is where you make most of your posts from. :D

tut

User avatar
Sanjøy
Posts: 8808
Joined: Sun Oct 02, 2005 8:23 pm
Location: Edinburgh Hamptons

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by Sanjøy » Thu Jan 08, 2015 5:50 pm

tut wrote:They fill in the blank periods Campbell, i.e. weekends when you lot are not working, which is where you make most of your posts from. :D

tut
Good point can we get a user posting analysis module?
W213 All Terrain

User avatar
campbell
Posts: 17191
Joined: Sat Mar 25, 2006 12:42 pm
Location: West Lothian
Contact:

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by campbell » Thu Jan 08, 2015 7:29 pm

tut wrote:They fill in the blank periods Campbell, i.e. weekends when you lot are not working, which is where you make most of your posts from. :D

tut
Too busy running after my young family at weekends!
http://www.rathmhor.com | Coaching, training, consultancy

User avatar
robin
Jedi Master
Posts: 10525
Joined: Mon Mar 27, 2006 1:39 pm

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by robin » Thu Jan 08, 2015 8:24 pm

We may eventually run into problems using plain HTTP - there are moves in the browser world to treat non-SSL sites with suspicion - ranging from an unhappy icon in the address bar to popping up dire warnings about your computer's chances of survival if you proceed to connect.

Of course it's all security theatre. There is not a single shared point of trust on the internet; it's only a matter of time before it comes to light that the people hosting the so called trusted root certification authorities are just as weak as Sony ...

Anyway, I have no desire to switch to SSL but it's worth thinking about because one day we may have to do it.

Graeme - you can have more than one certificate per IP address; it's pretty obvious if you think about it - the certificate is tied to the IP but the IP is not tied to the certificate. Edited to add that of course your s/w has to support this - but SNI should make that possible.

Cheers,
Robin
I is in your loomz nibblin ur wirez
#bemoretut

User avatar
ironside
Site Admin
Posts: 786
Joined: Fri Mar 24, 2006 11:48 am
Location: Edinburgh

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by ironside » Thu Jan 08, 2015 9:16 pm

The problem is, without SNI, that the server doesn't know which SSL certificate to present because the web browser doesn't say which site it's requesting until after the certificate has been presented.
You can solve this without consuming IP addresses by running different sites on different ports, but nobody wants to have to use something like https://www.scottishelises.com:8443/, or by having a single certificate that is valid for multiple domain names (wildcards, SANs) which are quite expensive compared with single domain certificates.

SNI solves this by having the web browser say which site it's requesting earlier so the server can present the correct certificate but, as Robin says, SNI support isn't everywhere yet.
You could also solve this with IPv6 where address shortage isn't a problem but that's not everywhere yet either.

User avatar
graeme
Posts: 3528
Joined: Tue Mar 15, 2005 11:29 am
Location: Kintore

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by graeme » Fri Jan 09, 2015 10:23 am

robin wrote: Graeme - you can have more than one certificate per IP address; it's pretty obvious if you think about it
Well, Mr Condescending... I know the default is to assume I don't know what I'm talking about, but sometimes, just sometimes, I do. ;)

Even if SANs were free, they're not the answer for shared hosting, as alternative names are visible for all to see on the cert.
211
958

User avatar
Sanjøy
Posts: 8808
Joined: Sun Oct 02, 2005 8:23 pm
Location: Edinburgh Hamptons

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by Sanjøy » Fri Jan 09, 2015 10:25 am

I have a spare dl380 in the barn if someone has some rack space....
W213 All Terrain

User avatar
ironside
Site Admin
Posts: 786
Joined: Fri Mar 24, 2006 11:48 am
Location: Edinburgh

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by ironside » Fri Jan 09, 2015 10:34 am

Thanks for the offer Sanjoy but there's no hardware shortage!

User avatar
steve_weegie
Posts: 3241
Joined: Tue Jun 28, 2005 12:40 am
Location: Nessieland

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by steve_weegie » Fri Jan 09, 2015 3:21 pm

We could have a redirection at http://www.scottishelises.com to https://www.scottishelises.com:8443, but I guess it may cause issues with people browsing at work on the non-standard port though.

SNI support is available in all the mainstream browsers now though, but lack of SNI support in XP clients running Internet Explorer could cause issues. Also Squid if it's being used as a reverse proxy. I belive haproxy will do SNI though.

Should be possible to run both though and let people choose http or https if their browser meets the criteria.

User avatar
campbell
Posts: 17191
Joined: Sat Mar 25, 2006 12:42 pm
Location: West Lothian
Contact:

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by campbell » Sat Jan 10, 2015 3:49 pm

Anyone still running IE on XP has bigger things to focus on than reaching SE...
http://www.rathmhor.com | Coaching, training, consultancy

User avatar
robin
Jedi Master
Posts: 10525
Joined: Mon Mar 27, 2006 1:39 pm

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by robin » Sat Jan 10, 2015 5:14 pm

graeme wrote: Even if SANs were free, they're not the answer for shared hosting, as alternative names are visible for all to see on the cert.
I didn't mention SANs - I agree they are impractical for hosting multiple unrelated sites.

I think SNI support is sufficiently prevalent that, by the time modern browsers have issues with non-HTTPS sites, we will be able to ignore the old non-SNI supporting browser/OS combinations (I would already ignore them, if wikipedia is correct: http://en.wikipedia.org/wiki/Server_Nam ... No_support).

Until modern browsers barf on plain old HTTP I wouldn't do anything at all.

So, I think SNI is a good solution and certificates are tied to IPs and IPs are not tied to certificates.

Apologies if that came across as condescending.

Cheers,
Robin
I is in your loomz nibblin ur wirez
#bemoretut

User avatar
tut
Barefoot Ninja
Posts: 22975
Joined: Tue Mar 15, 2005 5:53 pm
Location: Tut End, Glen of Newmill

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by tut » Sat Jan 10, 2015 7:13 pm

Googled on all of this, but needless to say I am still none the wiser.

On the other hand, I can quote Shakespeare and Keats.

tut

ps:- never thought that Robin would have to post as not sounding condescending.

tut

User avatar
Sanjøy
Posts: 8808
Joined: Sun Oct 02, 2005 8:23 pm
Location: Edinburgh Hamptons

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by Sanjøy » Sat Jan 10, 2015 9:39 pm

Disappointed that nobody has chucked in the SHA-1 grenade yet.
W213 All Terrain

User avatar
tut
Barefoot Ninja
Posts: 22975
Joined: Tue Mar 15, 2005 5:53 pm
Location: Tut End, Glen of Newmill

Re: Board upgrade 1800-1900hrs 07/02/2008

Post by tut » Sat Jan 10, 2015 11:55 pm

When I left Oman we were still using the Mills 36M grenade, did the job, always went off, and cleared a bunker with no problem.

Also perfect for throwing, fitted the hand like a glove and could be pitched 30m with accuracy.

tut

Post Reply