From owner-freebsd-security@FreeBSD.ORG Fri May 15 12:51:43 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 96B9B5D4 for ; Fri, 15 May 2015 12:51:43 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6805717CB for ; Fri, 15 May 2015 12:51:43 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 4093120AF2 for ; Fri, 15 May 2015 08:51:34 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Fri, 15 May 2015 08:51:34 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=tKvsWNdwF2RuRM+ TGHE2m7G34GQ=; b=byljsrmYqXpRZz5vT/OqdDgy4uIBbY+lidFqzxVki0zDKmF 71PVOnRH3+auRNn2lNhh6jjnLLQvkRsT7HJBiv9IEBGnfDkywqcgotLNJ0FW6PYy tHipBZByMPOiY8zNVA9t+MhDTHZgs1xuGd3d5pTg28/e7Rui7MBR475dDe5k= Received: by web3.nyi.internal (Postfix, from userid 99) id 18BB7105F4E; Fri, 15 May 2015 08:51:34 -0400 (EDT) Message-Id: <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> X-Sasl-Enc: Ca4jJcNlE669j+DCvFoQq8IMjwJDOwCELMagpesVSIN9 1431694294 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-e7ca9928 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Fri, 15 May 2015 07:51:34 -0500 In-Reply-To: <20150515173820.M69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 12:51:43 -0000 On Fri, May 15, 2015, at 03:07, Ian Smith wrote: > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > > Hello > > > > >> But I don't think disable TLS 1.0 is ok. > > >> > > > > > > TLS 1.0 is dead and is even now banned in new installations according to > > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > > by *any* HTTPS site now. > > > > Maybe is dead but is used in many old browser / software still used. > > > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > > (new installations "in theory" should not be built on TLS 1.0). > > > > So we have 1 year and FreeBSD forum is not e-commerce site ;) > > People seem determined to make sure freebsd forums are one of the first > sites to ban TLS 1.0, as some sort of best-practice example. > > I admit my knowledge of TLS issues is scant. I'd like to know whether > allowing TLS 1.0 - with fallback from later levels denied, as it already > is - endangers the server, or only the client? If there's a clearly > stated and immediate danger to the forum server, I can accept that, but > I'd have thought https://www and svnweb would be more at such peril? > Will there be any notice before they're denied TLS 1.0 access also? > The danger is decryption. Your username/password could be stolen if someone captures your traffic after successfully initiating a downgrade attack. You can't login to www.freebsd.org or svnweb. The most they can do is see what you're browsing, which isn't private anyway. > If it's just for making the sort of point that Mark is advocating, to > force people to join this 'rolling automatic update' model so beloved of > Microsoft and their captive hardware vendors, then I think doing that, > without any sort of prior notice, is rather less than I've come to > expect from the FreeBSD project over 17 years. > > But I'm a grandpa too; guess I have old-fashioned expectations :) > Microsoft has nothing to do with this. They're setting a good example. OSX is sort-of on that train too. FreeBSD has always been ahead of the curve with the ports tree being a rolling-release model. We need the Linux distros to get their heads on straight now, too. Just a reminder: I don't speak for the project in these matters. I'm just telling you what best current practices are. I have no idea who made that decision for the forums, or if it's even worth having the forums on https anyway. If it was up to me I probably wouldn't even put https on the forums even though Google will penalize it in search results. (Sure, you have a user account there... but it doesn't really do anything... you're not using the same credentials everywhere are you?) Actually, that might be the reason -- Google search results. Perhaps Google is also logging what protocols/ciphers your HTTPS has and is using that in search rankings.