welcome: please sign in
Page Locked

HeartBleedAfterMath

1. Heartbleed Aftermath

Fortunately HCoop wasn't hit by the OpenSSL Heartbleed bug. However this perhaps is an opportunity for some spring clean up.

These reports do not look good:

(Warning: their analyzer may need to run, and you might need to wait a while to see the actual report.)

Here's the status of navajos: it gets an F per the above SSL Labs report, because:

Deleuze is particularly problematic, because:

Since deleuze is scheduled to be decommissioned, we might want to focus on the remaining problems.

1.1. CA Certification

Problem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive.

These are the choices at the moment, to solve the immediate problem in an inexpensive manner:

HCoop has plenty of funds on hand, opening up two other options

ClintonEbadi thinks that a Gandi wildcard certificate makes the most sense right now (easier, and providing organization information in a cert is of dubious value).

1.2. Perfect Forward Secrecy

Forward Secrecy is being advocated as a solution that offers stronger protection for private keys; evidently it is straightforward to enable with Apache.

See ticket #113.

HeartBleedAfterMath (last edited 2014-04-19 00:32:33 by ClintonEbadi)