[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] TLS deployments/feedback needed



On 20 May 2015 at 14:40, Amir Chaudhry <amc79@xxxxxxxxx> wrote:
> Hi folks,
>
> The TLS work is proceeding well and you might have noticed that 
> https://mirage.io is working, which is using the TLS stack.  Since weâre on 
> the brink of doing some releases, itâs important that we get a few more 
> actual deployments out there to gather more feedback and highlight any issues.
>
> Iâm inviting folks on this list to try out OCaml-TLS with some of the things 
> theyâve already built.  Specifically, Iâm wondering if:
>
> Thomas Leonard â Would you (have you already) got the new stuff working with 
> your REST service?  How about Cuekeeper?

Actually, I just got CueKeeper working with the new TLS stuff today.
It's on my experimental "server" branch:

  https://github.com/talex5/cuekeeper/tree/server

The README explains how to generate a self-signed certificate and add
it to your browser.

However, CueKeeper+server has many missing pieces at the moment:

- You have the click the Sync button every time you want to sync. It
doesn't do it automatically.

- There's no access control. Anyone can connect to your server (over
TLS) and read/modify anything :-)

- There's no certificate pinning, so anyone with a certificate from a
rouge CA can impersonate your service.

- The server doesn't persist the data on reboot (it will resync from
the client instead). However, it's still useful to sync between
devices.

If it works for anyone else, let me know! You might have to pin
conduit to get the new tls to install. See the travis.yml for the
appropriate pins.

> Mindy Preston â Would you up for trying this out on your static website (i.e. 
> run https://somerandomidiot.com)?
>
> Mort â As for Mindy, would you be able to set up https://mort.io?
>
> In fact, *anyone* running a static website could probably have a go at this 
> with minimal risk.  Until recently, it's only been deployed on the Pinata and 
> the TLS handshake site.  Although itâs worked well â and been stable â for 
> those sites, we should try to make sure itâs working well when others try it 
> out.

Note that Thomas Gazagnaire has made a very nice tool for turning
static web-sites into TLS-enabled unikernels automatically:

  https://github.com/samoht/mirage-seal


-- 
Dr Thomas Leonard        http://roscidus.com/blog/
GPG: DA98 25AE CAD0 8975 7CDA  BD8E 0713 3F96 CA74 D8BA

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.