Grex Oldcoop Conference

Item 239: Should port 443 (https) be open for outbound connections?

Entered by gelinas on Sun Jan 30 20:56:42 2005:

It is the policy of Cyberspace Communications, Incorporated, to not let
unauthenticated (in practice, non-member) users loose on the greater
Internet.  To that end, most outbound connections are blocked.  The open
outbound ports are:

        Port Number     Protocol        Use
        43              TCP             whois
        53              TCP,UDP         DNS
        70              TCP             gopher  #obsolete, but still open
        79              TCP             finger
        80              TCP             world-wide web, http
        113             TCP             ident
        517             UDP             talk
        518             UDP             ntalk

Recently, the staff has received requests to allow outbound access to https,
TCP port 443.  Should this port be opened to all users, or should it remain
available only to members?

To facilitate a decision after discussion, I offer the following proposal to
the membership:

Resolved:  Outbound Secure HTTP shall be added to the list of services which
           are restricted to VERIFIED GREX MEMBERS in good standing.  The TCP
           port 443 will otherwise be closed.
56 responses total.

#1 of 56 by naftee on Sun Jan 30 21:27:45 2005:

I vote no.


#2 of 56 by cross on Sun Jan 30 21:29:52 2005:

I vote yes.


#3 of 56 by dpc on Sun Jan 30 22:25:25 2005:

I vote yes.


#4 of 56 by naftee on Sun Jan 30 22:29:00 2005:

Wait!  Don't you guys have to endorse this pro-(more like against)-posal
before you can vote on it ?


#5 of 56 by jep on Mon Jan 31 02:21:04 2005:

Why should or shouldn't it be allowed?  This would just allow outbound 
access to some WWW sites, right?  Grexers could use lynx to connect to 
M-Net, their bank, eBay, and many other sites which use authentication.


#6 of 56 by keesan on Mon Jan 31 04:21:22 2005:

Could such access be restricted only to dial-in users, since anyone else who
is telnetting to grex ought to have some other way to access https sites, or
is there some advantage (such as a faster connection) to doing it from grex?
My bank website won'twork with any of the grex browsers, in fact even with
Opera it shows up as a blank page.  Lynx at least provides a few words.
Do you need https to use backtalk?


#7 of 56 by scholar on Mon Jan 31 04:51:26 2005:

First of all, this proposal needs to be endorsed BEFORE votes are made. 
That's the way the by-laws work, as naftee correctly pointed out.

Second of all, https is already open.


#8 of 56 by naftee on Mon Jan 31 05:10:27 2005:

What!  I can't make outgoing https connections from GreX.


#9 of 56 by scholar on Mon Jan 31 14:18:14 2005:

Sure you can!

Everyone can!


#10 of 56 by janc on Mon Jan 31 17:02:06 2005:

If I had noticed that https wasn't open, then I would have opened it, without
ever having thought of raising the question for public discussion.  I mean
if "http" is allowed, why would we not want to allow "https" as well?

The current policy was (kind of) set by by a member vote, however, so maybe
changes in it need to be set by member vote.  Here's (rather quaint) previous
vote from 1994:

   http://www.grex.org/grexdoc/archives/votes/vote02

You'll notice that it doesn't refer "http" at all, but to "lynx".  Well,
"lynx" these days does https as well as http.  Note that "outgoing lynx" is
supposed to be restricted to members, but there is language suggesting that
that can be loosened, which I guess it was at some point or another.  On the
whole, I don't see that previous policy binds us so tightly that we need to
have a member vote to add "https" service.  We should just add it and get on
with life.


#11 of 56 by keesan on Mon Jan 31 18:52:55 2005:

Before taking the time to open https to non-members, could someone please get
lynx working again first? 


#12 of 56 by scholar on Mon Jan 31 20:04:13 2005:

(https is already open to non-members.)


#13 of 56 by naftee on Mon Jan 31 21:27:19 2005:

Lynx is UNLUCKY


#14 of 56 by cross on Tue Feb 1 00:59:40 2005:

I vote yes to what Jan proposed.

I only vote in a metaphorical sense, anyway.


#15 of 56 by janc on Tue Feb 1 04:28:26 2005:

I think lynx broke because we moved Grex but not the proxy.  Gryps is the
proxy server and also the tftp server for the terminal servers.  I think we
left it at the pumpkin so it could be near the terminal servers.  Might have
been the wrong choice.  We didn't think it over very hard.  Probably the thing
to do is to get the phone lines moved to provide.net, so that gryps and the
terminal server can both move there too.


#16 of 56 by cross on Tue Feb 1 05:04:42 2005:

Why do we need the terminal server if we only have two modems, again?


#17 of 56 by janc on Tue Feb 1 15:29:28 2005:

Habit.  Do we have two serial ports?


#18 of 56 by scholar on Tue Feb 1 15:49:34 2005:

Whoa.

Hey, folks!

I ate some delicious breakfast!

And now I want to go to class!

But first I have to wait till class starts!


#19 of 56 by naftee on Tue Feb 1 21:23:56 2005:

Whoa!  I never eat breakfast !


#20 of 56 by cross on Wed Feb 2 01:40:56 2005:

I'm not sure if we have two serial ports, but if we have two USB ports,
we can plug in USB to Serial converters that will do the trick quite
nicely indeed.  I'd say that'd be a better general solution than a terminal
server; why make things more complicated than they need to be?


#21 of 56 by keesan on Wed Feb 2 01:49:59 2005:

Are there slots where you can add serial ports?  


#22 of 56 by janc on Wed Feb 2 05:13:22 2005:

There are a bunch of USB ports on the machine.  I'm not sure how many of them
I configured into the kernel, or what the state of OpenBSD USB support is.


#23 of 56 by remmers on Wed Feb 2 13:33:25 2005:

(Just catching up on this conference after a couple days' absence...)

I agree with Jan - open https is consistent with previously enacted
policy.  So in the absence of any policy change, I think it should be
open and that this doesn't require a member vote.

Offhand I don't see a reason to close https if http is open.  What would
be the reasons for doing so?

(Voteadm note:  As noted previously, under the current bylaws 10% of the
members must endorse bringing it to a vote.  So if you feel this should
be voted on, you should explicitly indicate that you "endorse" moving it
to a vote rather than indicating how you'd vote on it.)


#24 of 56 by albaugh on Wed Feb 2 18:50:50 2005:

I'll add my support for bringing this to a vote, should it be deemed necessary
in the end.


#25 of 56 by gelinas on Wed Feb 2 21:54:25 2005:

I tend to err on the conversative side.  Since no one else has a problem with
opening https, I've done it.

If it turns out to be a problem later, we can always close it again. :)


#26 of 56 by twenex on Thu Feb 3 00:18:09 2005:

Hmm. /Conversative/ side?


#27 of 56 by scholar on Thu Feb 3 00:39:52 2005:

http://www./conservative/sideforjesus.org/


#28 of 56 by keesan on Thu Feb 3 04:54:52 2005:

Is lynx working again yet?


#29 of 56 by gelinas on Thu Feb 3 05:03:09 2005:

Yes, it is.


#30 of 56 by scholar on Thu Feb 3 13:40:55 2005:

Thanks, Joe!


#31 of 56 by naftee on Thu Feb 3 18:11:06 2005:

Thanks jOE!


#32 of 56 by saw on Thu Feb 3 20:59:11 2005:

I'll endorse the vote, also.  (If it comes to that.)

As far as Lynx, it appeared to still being to try to connect to the
proxy.  I sent email to staff about it a few days ago.  Don't know
if that or the posts here got it fixed, but doesn't matter..at least
it works now. :)

The only implication I see with port 443 is users who telnet in (i.e.
an insecure connection method) and proceed to use SSL-enabled sites
(which are supposed to be secure.)  Any information they put in can
still be seen via the telnet side of the link.  However, I don't know
that it's Grex's responsibility to prevent someone from shooting
themselves in the foot this way or not.  The user should know better.


#33 of 56 by gelinas on Fri Feb 4 04:07:00 2005:

I commented out the proxy stuff in /etc/lynx.cfg last night.


#34 of 56 by saw on Fri Feb 4 14:36:41 2005:

Thanks. :)


#35 of 56 by scholar on Fri Feb 4 15:15:16 2005:

You're welcome. :)


#36 of 56 by naftee on Fri Feb 4 15:50:51 2005:

 :)


#37 of 56 by scholar on Fri Feb 4 17:47:54 2005:

 :)


#38 of 56 by saw on Tue Feb 8 16:31:09 2005:

 :)


#39 of 56 by naftee on Tue Feb 8 18:29:21 2005:

 :)


#40 of 56 by scholar on Tue Feb 8 19:18:28 2005:

 :)


#41 of 56 by naftee on Wed Feb 9 01:14:45 2005:

 :)


#42 of 56 by scholar on Wed Feb 9 21:14:44 2005:

 :)


#43 of 56 by naftee on Wed Feb 9 21:44:53 2005:

 :)


#44 of 56 by scholar on Thu Feb 10 20:08:02 2005:

 :)


#45 of 56 by naftee on Fri Feb 11 01:39:34 2005:

 :)


#46 of 56 by scholar on Fri Feb 11 14:58:11 2005:

 :)


#47 of 56 by naftee on Fri Feb 11 19:57:01 2005:

 :)


#48 of 56 by scholar on Fri Feb 11 21:51:11 2005:

 :)


#49 of 56 by naftee on Sat Feb 12 00:06:33 2005:

 :)


#50 of 56 by scholar on Sat Feb 12 05:25:24 2005:

 :)


#51 of 56 by happyboy on Sat Feb 12 08:14:08 2005:

:)


#52 of 56 by devnull on Sat Feb 12 14:54:08 2005:

I've heard that at least one flavor of USB<->RS-232 widget does not work
reliably under NetBSD even though it sort of seems to work, and I have
another flavor of such a widget that doesn't work under NetBSD at all.
It seems likely that the quality of support for these devices under OpenBSD
would be similar.

That said, there may be one or a few models that work reliably as long as
a lot of care is excercised in choosing the right one.

/var/run/dmesg.boot claims there are two serial ports on grex:

pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

It would be unsurprising, though, if one of these goes to a header on the
motherboard which isn't connected to anything.

The other question is what people are planning to do if a PC Weasel card is
acquired, etc.  Oftentimes it is desireable to use one serial port as
the console line, connected to another computer or terminal server, and then
that serial port would not be available for a modem.  Also, if there is
going to be some sort of terminal server connected to grex's console port,
might it make sense to put the modems on that terminal server too?


#53 of 56 by cross on Sat Feb 12 16:45:33 2005:

Grex has already connected its two modems to the two serial ports in
the machine.  The problems with dialup now seem to lie with flakey phone
connections.


#54 of 56 by gelinas on Sun Feb 13 04:02:00 2005:

Oh.  This is the port 443 item, not the modem item.  Never mind.


#55 of 56 by naftee on Sun Feb 13 08:04:28 2005:

Oh dear :(


#56 of 56 by jesuit on Wed May 17 02:15:25 2006:

TROGG IS DAVID BLAINE


There are no more items selected.

You have several choices: