Attack of the Cooties
-
ooooh. yep that would do it.
-
red circle is the slowdown just before SSL, purple is the server restart for SSL followed by my scramble to get socksite pinging over SSL instead of http.
i still have the hack for the leaf node
@sam: made a non node.js based cert test for you. ;-)
accalia@httpstest:~/workspace (master) $ curl https://what.thedailywtf.com >/dev/null && echo TEST PASS || echo TEST FAIL % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. TEST FAIL accalia@httpstest:~/workspace (master) $
-
TDWTF 100% more SSL 100% more SPDY
Why wasn't a banner posted about this before the site went laggy and then offline? It probably would have been a good idea to put a banner up last night, or just before starting at the latest.
-
Why wasn't a banner posted about this before the site went laggy and then offline? It probably would have been a good idea to put a banner up last night, or just before starting at the latest.
i don't know. if it had been a
global_notice
servercooties.com would have picked up on it too and showed it on the site (and made a desktop notification of it too) so it would have been visible even when the site was down completely for the cert install.which BTW: THANKS @SAM FOR MAKING HTTPS A THING!
-
we were doing so well! and then.....?
@sam.... is it something to do with resources or something? i've noticed this pattern before that discourse is blazingly fast for a while after a container restart and then it slows down markedly...
-
is it something to do with resources or something? i've noticed this pattern before that discourse is
blazinglysomewhat faster for a while after a container restart and then it slows down markedly..Reminds me of Diablo 3 where the droprate would magically become better after the servers restarted... Though that is totally coincidence, guys!!!
So, besides cooties, what do we get from Https now? I mean, blakeyrat has all the passwords from the CS-instance anyway, so what are we protecting?
Filed Under: Let's hope this posts
-
I mean, blakeyrat has all the passwords from the CS-instance anyway, so what are we protecting?
Firstly, I would hope those passwords are salted and hashed properly. Second, anyone with enough sense will be using a different password for Dicsource.
-
I would hope those passwords are salted and hashed properly
If I had a CS-account, I'd probably add blakeyrat to my longname. (But yeah, I do think Alex either changed all passwords or they were secure before... though the second statement is kinda iffy talking about CS....)
Second, anyone with enough sense will be using a different password for Dicsource
Still begs the question what we are protecting with the https.... besides that some topic here said Firefox wants to stop supporting http...
Filed Under: Just wondering is all
-
When the accounts were imported into Dicsource, they were imported in such a way as to force the user to go through the 'password recovery' whatever, and set a new password
-
Not my password he doesn't ;)
-
How is that relevant? @Blakeyrat got the database for CS afair. I am not saying he has the passwords. I just wanted to make a snarky remark. Maybe he can tell us whether or not he can now post as morbs?
Not my password he doesn't
Swordfish?Filed Under: Either that or it's the date of your birthday!
-
I thought you were looking for info on passwords?
-
How is that relevant? @Blakeyrat got the database for CS afair. I am not saying he has the passwords. I just wanted to make a snarky remark. Maybe he can tell us whether or not he can now post as morbs?
Not my password he doesn't
Swordfish?Filed Under: Either that or it's the date of your birthday!
all I see there is ■■■■■■■■■.
Filed Under: hunter2
-
I wasn't on CS ;)
-
How do you read my statements as me looking for info on passwords? I made the remark that blakeyrat has the CS-database and I still want to know how https benefits us...
Filed Under: PSYCHIC!!
I wasn't on CS
jeez, sure, ruin all the fun. (I wasn't either, I think)
Filed Under: meh
-
How do you read my statements as me looking for info on passwords?
Magic!Actually, I have no idea
I still want to know how https benefits us
It's… more secure?
-
How do you read my statements as me looking for info on passwords? I made the remark that blakeyrat has the CS-database and I still want to know how https benefits us...
Filed Under: PSYCHIC!!
Mostly just prevents your TDWTF password from getting stored by your corporate firewall.
-
It's… more secure?
You mean we have longer phases of cooties?
See, I kinda don't want to spam this topic anymore because I feel like I am doing that.
And I understand you guys like to play around with technology.... I am somewhat the same in that regard,I guess.But as far as I can tell, there is no benefit from https here... no, wait, it's probably somehow more beneficial that @accalia's request for IPv6... or not... I am not too sure!
your TDWTF password from getting stored by your corporate firewal
Good thing I am not working at Samsung!
Filed Under:
hunter2■■■■■■■ should never get stored in any firewall
-
Why wasn't a banner posted about this before the site went laggy and then offline?
Laggy site were totally unrelated, SSL install simply took site down for a 5 min outage.
Something is ill here and I need to get to the bottom of it, something about tdwtf is exercising my debugging skillz.
-
But as far as I can tell, there is no benefit from https here
There is a big benefit for anons hitting the front page cause they get all the avatars pipelined. For the rest of us it should be more or less the same albeit a tiny bit slower and a bunch more secure.
-
But as far as I can tell, there is no benefit from https here... no, wait, it's probably somehow more beneficial that @accalia's request for IPv6... or not... I am not too sure!
It doesn't really do anything for the standard users beyond protect the password in flight, but now mod and admin sessions are more difficult to hijack.
-
SSL install simply took site down for a 5 min outage
There should have at least been a little notice, and a global message that ServerCooties.com could pick up (it does that now ;))
-
Mostly just prevents your TDWTF password from getting stored by your corporate firewall.
Https doesn't prevent this at most corps.
-
I left a message here, kind of tight on time, I am travelling in Israel atm visiting my mum so its a bit harder to queue things.
-
Fair enough; seems like something that could have waited for a more convenient time though
-
Security waits for no man! or woman, or fox, or hedgehog, etc.
-
@accalia all should be better now, created a jumbo crt with all the intermediates.
-
Premature securiaitation is the root of all evils
-
Chrome likes it now.
-
Something is ill here and I need to get to the bottom of it, something about tdwtf is exercising my debugging skillz.
What I don't get is 1.3beta9 was an improvement over 1.3beta7, in terms of performance. Not a great improvement, but enough that the site didn't keep crapping itself on a daily basis. Now we're on 1.4beta1, it seems all that hard work has just vanished.
-
Premature securiaitation is the root of all evils
I have no idea what that means, but I'm inclined to agree. Cheers.
-
I will look at this on me Monday (or possibly tomorrow before flight)
-
Keep us updated ;)
-
You can actually view the SPDY benefits here:
https://what.thedailywtf.com/t/full-list-of-currently-supported-emoji/605
-
You can actually view the SPDY benefits here:
Broken avatars?
Placeholders?
Colour me unconvinced.
-
I left a message here, kind of tight on time, I am travelling in Israel atm visiting my mum so its a bit harder to queue things.
A 2 minute warning buried in a topic for a weekday outage - which, by the way, weekdays are busy for us - is not really "leaving a message". None of the online staff even knew what was going on until after the fact.
I get that you're traveling and it's difficult to schedule stuff, but taking an active forum offline with no warning is not good. Maybe this is something that should have waited until after your trip so that it could have been planned appropriately.
-
They all work for me
-
They all work for me
As they, eventually, do for me.
I'm not sure what the 'advantage' being highlighted is.
The fact that 99% of them don't show until they've all loaded where the previous behaviour was seeing them show as/when they were delivered? Not seeing it...
-
curl https://what.thedailywtf.com >/dev/null && echo TEST PASS || echo TEST FAIL
accalia_de_elementia@sockdrawer:~/workspace $ curl https://what.thedailywtf.com >/dev/null && echo TEST PASS || echo TEST FAIL % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 23856 0 23856 0 0 91582 0 --:--:-- --:--:-- --:--:-- 91753 TEST PASS accalia_de_elementia@sockdrawer:~/workspace $
huzzzar! it are working!
-
-
Could be a proximity thing since we aren't(?) using a CDN.
-
-
... Guessing it's the nginx ratelimits coming back to bite. The browser is issuing all the image requests at the same time because it thinks it can, and nginx is rate-limiting them.
-
-
-
Also, the chrome ssl icon is still yellow.
Message: your connection to this site is private, but someone on the network might be able to change the look of the page.
Non ssl'd css methinks.(on mobile can't easily check myself)
-
I'm thinking non-ssl externally hosted image (http://i.imgur.com/FMwvgtH.jpg, according to firefox's media list).
Could be the CSS too this list doesn't show it.
-
Just used HTTPS Everywhere to analyse the page; it's only the imgur image that's causing it
-
Just used HTTPS Everywhere to analyse the page; it's only the imgur image that's causing it
Chrome dev tools says the same: "Mixed Content: The page at 'https://what.thedailywtf.com/t/attack-of-the-cooties/49324/94' was loaded over HTTPS, but requested an insecure image 'http://i.imgur.com/FMwvgtH.jpg'. This content should also be served over HTTPS."
-
I hear @accalia got a new license plate: IMACootie2.