From owner-freebsd-security@FreeBSD.ORG Mon May 18 13:42:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 31DA6576 for ; Mon, 18 May 2015 13:42:57 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 012361A7E for ; Mon, 18 May 2015 13:42:56 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 3252620C21 for ; Mon, 18 May 2015 09:42:55 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Mon, 18 May 2015 09:42:55 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=NhXDUrx2uNEurJj YAMr84eWyzKA=; b=GYUUIwf5lAedixyo+jT7Gi4vLmfS7jfRrcS+0V9gGDGybAo NxTsAUeS60FSRRwk3S3FPmjI3RnoqM266EJ+CPG0YYPOetoi5yRcQTswQ9NvHLJO l9O9H5gGAbeeWR3T7ocx9IIZ0/gxxr565Ufq+j7Vt5zCP6f0gTipuKyruo4g= Received: by web3.nyi.internal (Postfix, from userid 99) id 0EE8B106C13; Mon, 18 May 2015 09:42:55 -0400 (EDT) Message-Id: <1431956574.2820539.271626745.23D563FC@webmail.messagingengine.com> X-Sasl-Enc: PyXnJOI8tHwcBB8j+SNgf8Ko79lrROQu1EHaHJ1XaOor 1431956574 From: Mark Felder To: Ian Smith Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 In-Reply-To: <20150516190047.R69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> <20150515173820.M69409@sola.nimnet.asn.au> <1431694294.3518862.269597633.213CD919@webmail.messagingengine.com> <20150516190047.R69409@sola.nimnet.asn.au> Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Mon, 18 May 2015 08:42:54 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 13:42:57 -0000 On Mon, May 18, 2015, at 02:05, Ian Smith wrote: > > > The danger is decryption. Your username/password could be stolen if > > someone captures your traffic after successfully initiating a downgrade > > attack. > > So the danger is only to myself, from some MITM, and not to the server? > And despite the forum cert setup shown at > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org : > > Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more > info) > > which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ > which I've read, are we not trusting that mechanisn to prevent some > successful initiation of a downgrade attack - which I rather imprecisely > called "with fallback from later levels denied" above? > This is irrelevant to this conversation. with TLS_FALLBACK_SCSV, those with strong crypto keep strong crypto. Those with weak crypto are _still_ vulnerable to their traffic being decrypted. This new mechanism does not magically make their weak crypto more secure. > > > Microsoft has nothing to do with this. They're setting a good example. > > Alright, the leopard has changed its spots; wonders will never cease. > Troll detected. If by now in your adult life you haven't recognized that you need to use the right tool for the right job -- whether that be Windows, OSX, Linux, FreeBSD, OpenBSD, NetBSD, DragonflyBSD, SmartOS, Illumos, Solaris, etc etc etc -- I can't help you. It might surprise you that some FreeBSD developers use Windows as their daily OS. Many use OSX. > > Other forums I use allow http connections, read only, only requiring > switching to https for login and thus posting, which is fair enough, > and I have almost always only read a few forum posts, but see below .. > I agree that would be reasonable, but I am not involved in the forum administration -- or cluster, for that matter. > > > Actually, that might be the reason -- Google search results. Perhaps > > Google is also logging what protocols/ciphers your HTTPS has and is > > using that in search rankings. > > You're seriously suggesting that the FreeBSD project should set security > policies to favour higher rankings from an advertising company? > If people can't search Google and find results on the first page they're going to be very, very discouraged from even trying it out. I don't think I can provide any further information about what's going on here, but I hope that I've answered some questions about why this isn't such a terrible idea. Feel free to file a bug report if you would like this followed up by those who have control over these decisions. https://bugs.freebsd.org/bugzilla/enter_bug.cgi?product=Services