Grex Oldcoop Conference

Item 239: Should port 443 (https) be open for outbound connections?

It is the policy of Cyberspace Communications, Incorporated, to not let
unauthenticated (in practice, non-member) users loose on the greater
Internet.  To that end, most outbound connections are blocked.  The open
outbound ports are:

        Port Number     Protocol        Use
        43              TCP             whois
        53              TCP,UDP         DNS
        70              TCP             gopher  #obsolete, but still open
        79              TCP             finger
        80              TCP             world-wide web, http
        113             TCP             ident
        517             UDP             talk
        518             UDP             ntalk

Recently, the staff has received requests to allow outbound access to https,
TCP port 443.  Should this port be opened to all users, or should it remain
available only to members?

To facilitate a decision after discussion, I offer the following proposal to
the membership:

Resolved:  Outbound Secure HTTP shall be added to the list of services which
           are restricted to VERIFIED GREX MEMBERS in good standing.  The TCP
           port 443 will otherwise be closed.

I vote no.

I vote yes.

I vote yes.

Wait!  Don't you guys have to endorse this pro-(more like against)-posal
before you can vote on it ?

Why should or shouldn't it be allowed?  This would just allow outbound 
access to some WWW sites, right?  Grexers could use lynx to connect to 
M-Net, their bank, eBay, and many other sites which use authentication.

Could such access be restricted only to dial-in users, since anyone else who
is telnetting to grex ought to have some other way to access https sites, or
is there some advantage (such as a faster connection) to doing it from grex?
My bank website won'twork with any of the grex browsers, in fact even with
Opera it shows up as a blank page.  Lynx at least provides a few words.
Do you need https to use backtalk?

First of all, this proposal needs to be endorsed BEFORE votes are made. 
That's the way the by-laws work, as naftee correctly pointed out.

Second of all, https is already open.

What!  I can't make outgoing https connections from GreX.

Sure you can!

Everyone can!

If I had noticed that https wasn't open, then I would have opened it, without
ever having thought of raising the question for public discussion.  I mean
if "http" is allowed, why would we not want to allow "https" as well?

The current policy was (kind of) set by by a member vote, however, so maybe
changes in it need to be set by member vote.  Here's (rather quaint) previous
vote from 1994:

   http://www.grex.org/grexdoc/archives/votes/vote02

You'll notice that it doesn't refer "http" at all, but to "lynx".  Well,
"lynx" these days does https as well as http.  Note that "outgoing lynx" is
supposed to be restricted to members, but there is language suggesting that
that can be loosened, which I guess it was at some point or another.  On the
whole, I don't see that previous policy binds us so tightly that we need to
have a member vote to add "https" service.  We should just add it and get on
with life.

Before taking the time to open https to non-members, could someone please get
lynx working again first? 

(https is already open to non-members.)

Lynx is UNLUCKY

I vote yes to what Jan proposed.

I only vote in a metaphorical sense, anyway.

I think lynx broke because we moved Grex but not the proxy.  Gryps is the
proxy server and also the tftp server for the terminal servers.  I think we
left it at the pumpkin so it could be near the terminal servers.  Might have
been the wrong choice.  We didn't think it over very hard.  Probably the thing
to do is to get the phone lines moved to provide.net, so that gryps and the
terminal server can both move there too.

Why do we need the terminal server if we only have two modems, again?

Habit.  Do we have two serial ports?

Whoa.

Hey, folks!

I ate some delicious breakfast!

And now I want to go to class!

But first I have to wait till class starts!

Whoa!  I never eat breakfast !

I'm not sure if we have two serial ports, but if we have two USB ports,
we can plug in USB to Serial converters that will do the trick quite
nicely indeed.  I'd say that'd be a better general solution than a terminal
server; why make things more complicated than they need to be?

Are there slots where you can add serial ports?  

There are a bunch of USB ports on the machine.  I'm not sure how many of them
I configured into the kernel, or what the state of OpenBSD USB support is.

(Just catching up on this conference after a couple days' absence...)

I agree with Jan - open https is consistent with previously enacted
policy.  So in the absence of any policy change, I think it should be
open and that this doesn't require a member vote.

Offhand I don't see a reason to close https if http is open.  What would
be the reasons for doing so?

(Voteadm note:  As noted previously, under the current bylaws 10% of the
members must endorse bringing it to a vote.  So if you feel this should
be voted on, you should explicitly indicate that you "endorse" moving it
to a vote rather than indicating how you'd vote on it.)

I'll add my support for bringing this to a vote, should it be deemed necessary
in the end.

I tend to err on the conversative side.  Since no one else has a problem with
opening https, I've done it.

If it turns out to be a problem later, we can always close it again. :)

Hmm. /Conversative/ side?

http://www./conservative/sideforjesus.org/

Is lynx working again yet?

Yes, it is.

Thanks, Joe!

Thanks jOE!

I'll endorse the vote, also.  (If it comes to that.)

As far as Lynx, it appeared to still being to try to connect to the
proxy.  I sent email to staff about it a few days ago.  Don't know
if that or the posts here got it fixed, but doesn't matter..at least
it works now. :)

The only implication I see with port 443 is users who telnet in (i.e.
an insecure connection method) and proceed to use SSL-enabled sites
(which are supposed to be secure.)  Any information they put in can
still be seen via the telnet side of the link.  However, I don't know
that it's Grex's responsibility to prevent someone from shooting
themselves in the foot this way or not.  The user should know better.

I commented out the proxy stuff in /etc/lynx.cfg last night.

Thanks. :)

You're welcome. :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

 :)

:)

I've heard that at least one flavor of USB<->RS-232 widget does not work
reliably under NetBSD even though it sort of seems to work, and I have
another flavor of such a widget that doesn't work under NetBSD at all.
It seems likely that the quality of support for these devices under OpenBSD
would be similar.

That said, there may be one or a few models that work reliably as long as
a lot of care is excercised in choosing the right one.

/var/run/dmesg.boot claims there are two serial ports on grex:

pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

It would be unsurprising, though, if one of these goes to a header on the
motherboard which isn't connected to anything.

The other question is what people are planning to do if a PC Weasel card is
acquired, etc.  Oftentimes it is desireable to use one serial port as
the console line, connected to another computer or terminal server, and then
that serial port would not be available for a modem.  Also, if there is
going to be some sort of terminal server connected to grex's console port,
might it make sense to put the modems on that terminal server too?

Grex has already connected its two modems to the two serial ports in
the machine.  The problems with dialup now seem to lie with flakey phone
connections.

Oh.  This is the port 443 item, not the modem item.  Never mind.

Oh dear :(

TROGG IS DAVID BLAINE

You have several choices:

• Go to the menu of items for the Oldcoop conference
• Go to the list of conferences
• Go to the opening screen