= Heartbleed Aftermath = Fortunately HCoop wasn't hit by the OpenSSL [[http://heartbleed.com/|Heartbleed]] bug. However this perhaps is an opportunity for some spring clean up. These reports do not look good: * [[https://www.ssllabs.com/ssltest/analyze.html?d=navajos.hcoop.net|SSL Report: navajos.hcoop.net]] * [[https://www.ssllabs.com/ssltest/analyze.html?d=deleuze.hcoop.net|SSL Report: deleuze.hcoop.net]] (Warning: their analyzer may need to run, and you might need to wait a while to see the actual report.) Here's the status of navajos: it gets an F per the above SSL Labs report, because: * Server's certificate is not trusted. Grade set to F. * Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. * Server does not support Forward Secrecy with the reference browsers. Deleuze is particularly problematic, because: * Server's certificate is not trusted. Grade set to F. * Server supports SSL 2, which is obsolete and insecure. Grade set to F. * Server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. * Server does not mitigate the CRIME attack. Grade capped to B. * Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. * There is no support for secure renegotiation. * Server does not support Forward Secrecy with the reference browsers. Since deleuze is scheduled to be decommissioned, we might want to focus on the remaining problems. == CA Certification == Problem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive. These are the choices at the moment, to solve the immediate problem in an inexpensive manner: * [[https://www.gandi.net/|Gandi]] offers one-year free CA certificate with domain registrations. * [[https://startssl.com/|StartSSL]] offers free CA certificates, but charges $25 for revocations.