Date: Mon, 18 May 2015 17:05:13 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Mark Felder <feld@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <20150516190047.R69409@sola.nimnet.asn.au> In-Reply-To: <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com>
index | next in thread | previous in thread | raw e-mail
On Fri, 15 May 2015 07:51:34 -0500, Mark Felder wrote: > On Fri, May 15, 2015, at 03:07, Ian Smith wrote: > > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > > > Hello > > > > > > >> But I don't think disable TLS 1.0 is ok. > > > >> > > > > > > > > TLS 1.0 is dead and is even now banned in new installations according to > > > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > > > by *any* HTTPS site now. > > > > > > Maybe is dead but is used in many old browser / software still used. > > > > > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > > > (new installations "in theory" should not be built on TLS 1.0). > > > > > > So we have 1 year and FreeBSD forum is not e-commerce site ;) > > > > People seem determined to make sure freebsd forums are one of the first > > sites to ban TLS 1.0, as some sort of best-practice example. > > > > I admit my knowledge of TLS issues is scant. I'd like to know whether > > allowing TLS 1.0 - with fallback from later levels denied, as it already > > is - endangers the server, or only the client? If there's a clearly > > stated and immediate danger to the forum server, I can accept that, but > > I'd have thought https://www and svnweb would be more at such peril? > > Will there be any notice before they're denied TLS 1.0 access also? > The danger is decryption. Your username/password could be stolen if > someone captures your traffic after successfully initiating a downgrade > attack. So the danger is only to myself, from some MITM, and not to the server? And despite the forum cert setup shown at https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org : Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info) which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ which I've read, are we not trusting that mechanisn to prevent some successful initiation of a downgrade attack - which I rather imprecisely called "with fallback from later levels denied" above? > You can't login to www.freebsd.org or svnweb. The most they can do is > see what you're browsing, which isn't private anyway. Alright. > > If it's just for making the sort of point that Mark is advocating, to > > force people to join this 'rolling automatic update' model so beloved of > > Microsoft and their captive hardware vendors, then I think doing that, > > without any sort of prior notice, is rather less than I've come to > > expect from the FreeBSD project over 17 years. > > > > But I'm a grandpa too; guess I have old-fashioned expectations :) > Microsoft has nothing to do with this. They're setting a good example. Alright, the leopard has changed its spots; wonders will never cease. > OSX is sort-of on that train too. FreeBSD has always been ahead of the > curve with the ports tree being a rolling-release model. We need the > Linux distros to get their heads on straight now, too. The latter should be simple enough :) > Just a reminder: I don't speak for the project in these matters. I'm > just telling you what best current practices are. I have no idea who > made that decision for the forums, or if it's even worth having the > forums on https anyway. Other forums I use allow http connections, read only, only requiring switching to https for login and thus posting, which is fair enough, and I have almost always only read a few forum posts, but see below .. Noone has yet seen fit to even comment on the matter of no prior notice; there is usually at least some heads-up warning, 'better upgrade now', before access is denied to some FreeBSD service from older browsers. > If it was up to me I probably wouldn't even put > https on the forums even though Google will penalize it in search > results. (Sure, you have a user account there... but it doesn't really > do anything... you're not using the same credentials everywhere are > you?) Of course not. And I just checked, being unsure I'd ever posted there, to find my password server-allocated anyway, so I must have posted once. > Actually, that might be the reason -- Google search results. Perhaps > Google is also logging what protocols/ciphers your HTTPS has and is > using that in search rankings. You're seriously suggesting that the FreeBSD project should set security policies to favour higher rankings from an advertising company? cheers, Ianhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150516190047.R69409>