Closed offsecginger closed 7 years ago
That is a great idea. I haven't thought about implementing SSL on my Mellivora site, but now that you bring up that excellent point. Thank you.
R/ Luciano
On May 22, 2017, at 7:25 AM, wayneaswilliams notifications@github.com wrote:
When utilizing mellivora for a CTF, instead of just having select pages with HTTPS, it makes sense to encrypt everyone's connection to the scoring server.
One big note would be when others are submitting flags, they can be intercepted and other teams can submit a flag they stole, rather than earned.
The solution I came up with is full HTTPS with TLSv2.0 support on the scoring server. By modifying the default-ssl.conf file in apache/sites-available/ and setting
Redirect permanent "/" "https://mellivora" Attached is a potential version to include for HTTPS support. I noticed there is not a lot of documentation on Mellivora for how to set that up, so I am willing to write the guide if it is included in the source. default-ssl.conf.txt
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
The SSL_COMPAT flag is just a nicety to redirect people to https pages at login, as well as configure cookies to only serve over SSL. If you want SSL on your server, it should be configured and forced in Apache, as you have done. The example config is not meant for production environments and serves as quickstart only.
Previous versions of the example Apache config had SSL redirects, but this was confusing for some people. See https://github.com/Nakiami/mellivora/blob/f47e3e0b05ee14e616222f7e6100464d649e2f0f/install/mellivora.apache.conf
When utilizing mellivora for a CTF, instead of just having select pages with HTTPS, it makes sense to encrypt everyone's connection to the scoring server.
One big note would be when others are submitting flags, they can be intercepted and other teams can submit a flag they stole, rather than earned.
The solution I came up with is full HTTPS with TLSv2.0 support on the scoring server. By modifying the default-ssl.conf file in apache/sites-available/ and setting
Attached is a potential version to include for HTTPS support. I noticed there is not a lot of documentation on Mellivora for how to set that up, so I am willing to write the guide if it is included in the source. default-ssl.conf.txt