|
kedo posted:Why wouldn't you want to use https? It's brainlessly simple to set up an SSL cert with Let's Encrypt, and it offers at least a bare minimum amount of protection for your users who might be accessing your site on an unsecured network. It may be easy now, but nothing guarantee you will have to pay for the privilege 10 years down the road. And 10 years down the road, the browser may have turned completelly hostile to HTTP. Has for signing digitally everything. Maybe I don't want to do that. Maybe I want my data to be semi-anonymous and unsigned. It will be harder to deny my authorship if everything is signed. The way the cert system work, is highly hiearchical, so is very weak against the attack of nation states. They may force certification autorities to revoke the certificate of a anti-governement site. It give more power to these that already have too much power. If anything, I think we need to push the web towards less centralization, less costs and more freedom. Is not safe to put so much power into certification authorities. Is not safe to live in a house with unbreakable windows. I rest my case. Is probably true that my concerns are wrong. Tei fucked around with this message at 21:33 on Jan 17, 2019 |
# ? Jan 17, 2019 21:23 |
|
|
# ? Jun 5, 2024 07:40 |
|
Tei posted:The current fad is "if is HTTP is not safe" and thats magical thinking. Not everything need to be HTTPS. And not everything is a credit card form. IIRC the current push for HTTPS started when the US government decided it was permissible for ISPs to sniff your web traffic and sell the data to marketers.
|
# ? Jan 17, 2019 21:25 |
|
HTTP is susceptible to man in the middle attacks at any step. ISP's even started injecting ads on websites they served, which pissed Google off as you can imagine. Entering anything on any form is completely exposed, as is what you view on the page and there's no way to know what you're seeing on the page is what you actually requested.
|
# ? Jan 17, 2019 21:35 |
|
Let's Encrypt is run by the Linux Foundation and is heavily promoted by the EFF. If you find yourself more paranoid about anonymity than those two organizations... I don't know, I'm not really sure what to tell you except maybe the internet isn't the place for whatever data you're concerned about protecting? e Nolgthorn posted:HTTP is susceptible to man in the middle attacks at any step. ISP's even started injecting ads on websites they served, which pissed Google off as you can imagine. Entering anything on any form is completely exposed, as is what you view on the page and there's no way to know what you're seeing on the page is what you actually requested. Not to mention the fact that HTTP-injection was (and probably still is) one of the NSA's primary tools for seizing control of computers. If you're worried about bad nation-state actors, http is arguably worse for the internet than https. kedo fucked around with this message at 21:45 on Jan 17, 2019 |
# ? Jan 17, 2019 21:39 |
|
Since DNSSEC isn't a thing and is unlikely to ever become a thing, if you don't use HTTPS you have absolutely no idea if the server you're talking to is the server you think it is. There are a lot of malicious middlemen that can and will both read your traffic and inject poo poo into it. Lots of free wifi providers and even some shady ISP's will inject ads, and since the adtech industry is full of fraudsters, that also means it'll inject malicious javascript sooner rather than later. In fact HTTPS is a good idea even on servers that are only listening on localhost - it's one of the easier ways to defeat DNS rebinding attacks (where an attacker on some random page makes your browser run javascript that connects to your local service to steal info etc - there were a whole bunch of programs that suffered from this vulnerability last year, like battle.net, the transmission bittorrent client and I don't remember what else). Yes, X.509 is comically complicated and the whole cert signing circus is a gigantic mess but it's the standard that exists and you gotta deal with it. Letsencrypt circumvented the cert selling poo poo, at least. Using plain HTTP in 2019 is not really an option for anything at all, and that's why browsers are warning you. e: the dream of the decentralized internet is long dead. Centralization is too efficient and convenient. TheFluff fucked around with this message at 23:54 on Jan 17, 2019 |
# ? Jan 17, 2019 23:40 |
|
I really never got around to making letsencrypt work either. As the certs expire seemingly daily and therefore you have to automate the certification process so that it can run all the drat time. Luckily my current webhost was nice enough to just have a script I could run that does it for me. Haven't had to think about it since. It was so nice to run that thing and it "just worked" you have no idea. Nolgthorn fucked around with this message at 00:11 on Jan 18, 2019 |
# ? Jan 18, 2019 00:08 |
|
Its like one command to install certbot and auto-renew LetsEncrypt certs every however often, I followed a DigitalOcean tutorial and have had no problems with it? I kind of hate Now 2.0. Now 1.0 was so good for throwing stuff up to test or share or even use in production. I don't want to rework my project to fit serverless. I guess I can't complain about a free service but Heroku looks might appealing again.
|
# ? Jan 18, 2019 00:31 |
|
Nolgthorn posted:I really never got around to making letsencrypt work either. As the certs expire seemingly daily and therefore you have to automate the certification process so that it can run all the drat time. Luckily my current webhost was nice enough to just have a script I could run that does it for me. letsencrypt, via certbot, does this for you nowadays
|
# ? Jan 18, 2019 00:44 |
|
For those in containerized environments, Caddy is a ridiculously easy-to-setup LetsEncrypt-enabled webserver/reverse-proxy. It's main advantage for me is that it auto-updates the certs without the need for a separate cronjob or integration. By comparison, Certbot needs a cronjob installed and integration with whatever webserver you've got (Nginx / Apache / etc) to HUP the server when it replaces the certificate, which is a PITA in containerized envs.
|
# ? Jan 18, 2019 00:48 |
|
Nolgthorn posted:I really never got around to making letsencrypt work either. As the certs expire seemingly daily and therefore you have to automate the certification process so that it can run all the drat time. This is by design. You put in the effort once and then it just works forever. The alternative is someone does it manually, and has then forgotten about it by the time the cert expires, then everything breaks and they decide to just go back to insecure http.
|
# ? Jan 18, 2019 06:00 |
|
I've got a question about a problem that's driving me crazy. I'm developing an API. The actual server is behind Apache reverse proxy. 1. When I set the `ProxyTimeout 300` directive the value works as intended. However when I try to set timeout on the individual ProxyPass directive using timeout=300 the timeout doesn't work at all. It goes back to the default value of 60 seconds. Tested this with both Apache 2.2 and 2.4 with the same results. 2. When the ProxyTimeout happens I get an empty response with status 200. If the server is completely dead I get a proper 503. However, if the remote server doesn't return data before the timeout I get this empty response. I've read the manuals and Googled about #1 for like an hour and I have no idea what the hell I'm doing wrong or misunderstanding. #2 might be a question for the Golang thread since my actual web server is written in Go. I just need to know if this is normal behavior, and Googling about it isn't helpful because you just get back a bunch of stuff about setting custom error pages. ErIog fucked around with this message at 07:19 on Jan 18, 2019 |
# ? Jan 18, 2019 07:05 |
|
Also important to note that certs with the lifespan of a fruit fly reduce the consequences of a bad actor getting ahold of a cert issued to your domain. I've found it difficult to persuade devs with concern over the campaign to secure the web because refuting each individual argument against widespread adoption isn't as important as addressing the person's underlying fear, and, in some cases, outright paranoia, over various big names in the industry. While I share the wariness about any one organization becoming the decider on everything, I see that wariness applied with way too broad a brush by some. Like was said up-thread, you may not trust Google, but surely the EFF isn't out to destroy the internet?
|
# ? Jan 18, 2019 07:19 |
|
Cugel the Clever posted:Like was said up-thread, you may not trust Google, but surely the EFF isn't out to destroy the internet? It depends whose financing it, who's in charge. What one person's opinion is regarding what destroys the internet is different from another. More important than that I think bad actors are drawn to whatever is the most powerful influencer at any given time, many of them have lots of money and can likely weasel their way in there. Maintaining a lot of competition is key. Currently if I decide I want to stop using one single thing, there's like 5 years of downtime while an alternative gets developed.
|
# ? Jan 18, 2019 11:25 |
|
Lumpy posted:Well, got this working very quickly: fired up my phone to test, and Facebook sets X-FRAME-OPTIONS: DENY , which my phone browser respects, but my desktop firefox apparently does not, which is why it worked there.... Mr Moo's suggestion was way better, anyway
|
# ? Jan 18, 2019 14:53 |
|
Munkeymon posted:Mr Moo's suggestion was way better, anyway It was!
|
# ? Jan 18, 2019 18:04 |
|
Say I want a website with two panes, with a vertical, adjustable separator (sort of like jsfiddle but with only two panes instead of four). What's the simplest way to go about that? Is it possible html+css alone, or will I need javascript?
|
# ? Jan 24, 2019 01:14 |
|
This is not mine.
|
# ? Jan 24, 2019 01:18 |
|
Cool, thank you
|
# ? Jan 24, 2019 01:55 |
|
Anyone read any good books lately? Probably about time I brushed up.
|
# ? Jan 24, 2019 13:35 |
|
jiggerypokery posted:Anyone read any good books lately? The internet made reading books obsolete. I don't remember the last one, but I have good memories of "Compilers: Principles, Techniques, and Tools" https://www.youtube.com/watch?v=1xyqfHCzsH8
|
# ? Jan 24, 2019 14:19 |
|
Any good & recent books on Python (potentially also Django)? Studying for an interview and want to know if I've missed anything lately with the new versions.
|
# ? Jan 24, 2019 21:27 |
|
Nybble posted:Any good & recent books on Python (potentially also Django)? Studying for an interview and want to know if I've missed anything lately with the new versions. You're probably not going to find recent developments in a book.
|
# ? Jan 24, 2019 21:57 |
|
This is the newest book on Amazon
|
# ? Jan 24, 2019 22:58 |
|
Nolgthorn posted:This is the newest book on Amazon I stand corrected.
|
# ? Jan 24, 2019 23:42 |
|
Nybble posted:Any good & recent books on Python (potentially also Django)? Studying for an interview and want to know if I've missed anything lately with the new versions. Try the python thread
|
# ? Jan 25, 2019 01:36 |
|
jiggerypokery posted:Anyone read any good books lately?
|
# ? Jan 25, 2019 04:23 |
|
What do y'all think's the most idiomatic id for the el to mount a framework in? app ? main ? Trying to set up a default mount point for my framework
|
# ? Jan 25, 2019 15:26 |
|
#mountMeBaby
|
# ? Jan 25, 2019 15:28 |
|
Love it
|
# ? Jan 25, 2019 15:44 |
|
Dominoes posted:What do y'all think's the most idiomatic id for the el to mount a framework in? app ? main ? Trying to set up a default mount point for my framework App for me, personally. Main sounds ambiguous. Main is probably already in use by several CSS frameworks, while you seems to be talking about a programatic one, where App is more common.
|
# ? Jan 25, 2019 15:52 |
|
I use app because I copied and pasted it from a tutorial the first time I built one and suspect other people did too it's going to become the gold standard.
|
# ? Jan 25, 2019 18:41 |
|
Dominoes posted:What do y'all think's the most idiomatic id for the el to mount a framework in? app ? main ? Trying to set up a default mount point for my framework YourIDNameHere
|
# ? Jan 25, 2019 18:51 |
|
After briefly considering put-your-code-inside-me, I settled on app. Also, more shockingly-shameless self-promotion: Y'all should try it. I'm attempting to steal what I like from existing frameworks. Focus is on ease-of-use, clean API, batteries included. Case-in-point: Despite using a low-level language, I think the TodoMVC example is cleaner than most of the ones on the official page Dominoes fucked around with this message at 03:06 on Jan 27, 2019 |
# ? Jan 27, 2019 02:55 |
|
poz my code hole
|
# ? Jan 27, 2019 03:02 |
|
There was a line. Somewhere.
|
# ? Jan 27, 2019 03:04 |
|
Dominoes posted:After briefly considering put-your-code-inside-me, I settled on app. Congrats on the release. Man, modern clientside is so complex, is hard to tell what your thing does. Probably is easy for the people that are already in the joke of clientside programming with rust. Good luck with this thing!
|
# ? Jan 27, 2019 10:21 |
|
Tei posted:Congrats on the release. It's Elm or React or Vue or Angular but you write Rust instead of JS.
|
# ? Jan 27, 2019 19:08 |
|
A question about cookies. When I arrive here at the something awful forums, my browser is already logged in. My app-in-development uses CouchDB's built in user management. User registration, login, etc are going fine, EXCEPT that user login is not persisting across multiple page visits. Refreshing the page logs you out. Some relevant settings from my couchDB config: [couch_httpd_auth] (section) allow_persistent_cookies true // I would have expected that this took care of this issue auth_cache_size 50 authentication_db _users authentication_redirect /_utils/session.html iterations 10 require_valid_user false secret butts timeout 600 What keywords should I be sniffing around in order to fix this up? Newf fucked around with this message at 17:47 on Jan 29, 2019 |
# ? Jan 28, 2019 21:27 |
|
Maybe I'm not understanding the issue. Being "logged in" isn't a concept generally on the server... your session might be getting stored in CouchDB but to retrieve that session you need to set a cookie in the user's browser that identifies it, and you need to get it again from CouchDB on every request.
|
# ? Jan 28, 2019 21:47 |
|
|
# ? Jun 5, 2024 07:40 |
|
I like to set one or two things in a JWT including their user id, stick it in their cookies. Verify the signature when they make a request, look up the user by id, and bingo bango that's my user right there. I understand there's some insane people out there who think JWT isn't a good idea for session management but they are incorrect. Headless JWT is my personal favourite.
|
# ? Jan 28, 2019 21:55 |