Date: Mon, 18 May 2015 08:42:54 -0500 From: Mark Felder <feld@FreeBSD.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <1431956574.2820539.271626745.23D563FC@webmail.messagingengine.com> In-Reply-To: <20150516190047.R69409@sola.nimnet.asn.au> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> <20150516190047.R69409@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 18, 2015, at 02:05, Ian Smith wrote: > > > The danger is decryption. Your username/password could be stolen if > > someone captures your traffic after successfully initiating a downgrade > > attack. > > So the danger is only to myself, from some MITM, and not to the server? > And despite the forum cert setup shown at > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org : > > Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more > info) > > which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ > which I've read, are we not trusting that mechanisn to prevent some > successful initiation of a downgrade attack - which I rather imprecisely > called "with fallback from later levels denied" above? > This is irrelevant to this conversation. with TLS_FALLBACK_SCSV, those with strong crypto keep strong crypto. Those with weak crypto are _still_ vulnerable to their traffic being decrypted. This new mechanism does not magically make their weak crypto more secure. > > > Microsoft has nothing to do with this. They're setting a good example. > > Alright, the leopard has changed its spots; wonders will never cease. > Troll detected. If by now in your adult life you haven't recognized that you need to use the right tool for the right job -- whether that be Windows, OSX, Linux, FreeBSD, OpenBSD, NetBSD, DragonflyBSD, SmartOS, Illumos, Solaris, etc etc etc -- I can't help you. It might surprise you that some FreeBSD developers use Windows as their daily OS. Many use OSX. > > Other forums I use allow http connections, read only, only requiring > switching to https for login and thus posting, which is fair enough, > and I have almost always only read a few forum posts, but see below .. > I agree that would be reasonable, but I am not involved in the forum administration -- or cluster, for that matter. > > > Actually, that might be the reason -- Google search results. Perhaps > > Google is also logging what protocols/ciphers your HTTPS has and is > > using that in search rankings. > > You're seriously suggesting that the FreeBSD project should set security > policies to favour higher rankings from an advertising company? > If people can't search Google and find results on the first page they're going to be very, very discouraged from even trying it out. I don't think I can provide any further information about what's going on here, but I hope that I've answered some questions about why this isn't such a terrible idea. Feel free to file a bug report if you would like this followed up by those who have control over these decisions. https://bugs.freebsd.org/bugzilla/enter_bug.cgi?product=Services
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1431956574.2820539.271626745.23D563FC>