HeartBleedAfterMath82014-04-19 00:32:33ClintonEbadiwe can maybe buy a wildcard cert from gandi72014-04-18 17:13:33ClintonEbadinavajos is less bad than it seems, deleuze is really as bad as it seems62014-04-18 17:12:12ClintonEbaditurned sslv2 off on deleuze52014-04-18 13:55:55Sajith42014-04-18 13:53:23Sajith32014-04-18 13:46:47Sajith22014-04-18 13:40:24Sajith12014-04-18 13:33:20SajithHeartbleed AftermathFortunately HCoop wasn't hit by the OpenSSL Heartbleed bug. However this perhaps is an opportunity for some spring clean up. These reports do not look good: SSL Report: navajos.hcoop.net SSL Report: deleuze.hcoop.net (Warning: their analyzer may need to run, and you might need to wait a while to see the actual report.) Here's the status of navajos: it gets an F per the above SSL Labs report, because: Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it gets a C. Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. Server does not support Forward Secrecy with the reference browsers. Deleuze is particularly problematic, because: Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it still gets an F. Server supports SSL 2, which is obsolete and insecure. Grade set to F.--) Fixed Server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. Server does not mitigate the CRIME attack. Grade capped to B. Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. There is no support for secure renegotiation. Server does not support Forward Secrecy with the reference browsers. Since deleuze is scheduled to be decommissioned, we might want to focus on the remaining problems. CA CertificationProblem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive. These are the choices at the moment, to solve the immediate problem in an inexpensive manner: Gandi offers one-year free CA certificate with domain registrations. StartSSL offers free CA certificates, but charges $25 for revocations. HCoop has plenty of funds on hand, opening up two other options Gandi Standard Wildcard Cert $160/year for *.hcoop.net
and hcoop.net
Automatic domain verification, i.e. we can acquire and start installing it to the appropriate machines within a few days ClintonEbadi confirmed with Gandi support that we are OK having member subdomains and using a wildcard certificate from them Disadvantages: No organizational information is attached to the cert, one cert that must be secured on multiple machines StartSSL Class 2 Organizational Certification $60 for a "certmaster" to be personally verified, and another $60 for HCoop itself to be verified, per year Certificates provide organization information (but not extended validation) You can issue unlimited certificates, allowing us to use multiple private keys (slight security improvement) Disadvantages: organizational validation will take weeks (we have to request documentation from the State of PA), a certmaster must be appointed, revocations cost money (but we're unlikely to lose certs...) ClintonEbadi thinks that a Gandi wildcard certificate makes the most sense right now (easier, and providing organization information in a cert is of dubious value). Perfect Forward SecrecyForward Secrecy is being advocated as a solution that offers stronger protection for private keys; evidently it is straightforward to enable with Apache. See ticket #113.