|
Size: 1849
Comment:
|
← Revision 8 as of 2014-04-19 00:32:33 ⇥
Size: 3887
Comment: we can maybe buy a wildcard cert from gandi
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 14: | Line 14: |
| * Server's certificate is not trusted. Grade set to F. | * Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it gets a C. |
| Line 20: | Line 20: |
| * Server's certificate is not trusted. Grade set to F. * Server supports SSL 2, which is obsolete and insecure. Grade set to F. |
* Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it still gets an F. * --(Server supports SSL 2, which is obsolete and insecure. Grade set to F.--) ''Fixed'' |
| Line 30: | Line 30: |
| == CA Certification == | == CA Certification == Problem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive. |
| Line 36: | Line 40: |
HCoop has plenty of funds on hand, opening up two other options * Gandi Standard Wildcard Cert * $160/year for `*.hcoop.net` and `hcoop.net` * Automatic domain verification, i.e. we can acquire and start installing it to the appropriate machines within a few days * ClintonEbadi confirmed with Gandi support that we are OK having member subdomains and using a wildcard certificate from them * Disadvantages: No organizational information is attached to the cert, one cert that must be secured on multiple machines * StartSSL Class 2 Organizational Certification * $60 for a "certmaster" to be personally verified, and another $60 for HCoop itself to be verified, per year * Certificates provide organization information (but not extended validation) * You can issue unlimited certificates, allowing us to use multiple private keys (slight security improvement) * Disadvantages: organizational validation will take weeks (we have to request documentation from the State of PA), a certmaster must be appointed, revocations cost money (but we're unlikely to lose certs...) ClintonEbadi thinks that a Gandi wildcard certificate makes the most sense right now (easier, and providing organization information in a cert is of dubious value). == Perfect Forward Secrecy == [[http://en.wikipedia.org/wiki/Forward_secrecy|Forward Secrecy]] is being advocated as a solution that offers stronger protection for private keys; evidently it is [[https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite|straightforward to enable with Apache]]. See [[https://bugzilla.hcoop.net/show_bug.cgi?id=1113|ticket #113]]. |
1. Heartbleed Aftermath
Fortunately HCoop wasn't hit by the OpenSSL Heartbleed bug. However this perhaps is an opportunity for some spring clean up.
These reports do not look good:
(Warning: their analyzer may need to run, and you might need to wait a while to see the actual report.)
Here's the status of navajos: it gets an F per the above SSL Labs report, because:
- Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it gets a C.
- Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
- Server does not support Forward Secrecy with the reference browsers.
Deleuze is particularly problematic, because:
- Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it still gets an F.
Server supports SSL 2, which is obsolete and insecure. Grade set to F.--) Fixed
- Server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
- Server does not mitigate the CRIME attack. Grade capped to B.
- Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
- There is no support for secure renegotiation.
- Server does not support Forward Secrecy with the reference browsers.
Since deleuze is scheduled to be decommissioned, we might want to focus on the remaining problems.
1.1. CA Certification
Problem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive.
These are the choices at the moment, to solve the immediate problem in an inexpensive manner:
Gandi offers one-year free CA certificate with domain registrations.
StartSSL offers free CA certificates, but charges $25 for revocations.
HCoop has plenty of funds on hand, opening up two other options
- Gandi Standard Wildcard Cert
$160/year for *.hcoop.net and hcoop.net
- Automatic domain verification, i.e. we can acquire and start installing it to the appropriate machines within a few days
ClintonEbadi confirmed with Gandi support that we are OK having member subdomains and using a wildcard certificate from them
- Disadvantages: No organizational information is attached to the cert, one cert that must be secured on multiple machines
- StartSSL Class 2 Organizational Certification
- $60 for a "certmaster" to be personally verified, and another $60 for HCoop itself to be verified, per year
- Certificates provide organization information (but not extended validation)
- You can issue unlimited certificates, allowing us to use multiple private keys (slight security improvement)
- Disadvantages: organizational validation will take weeks (we have to request documentation from the State of PA), a certmaster must be appointed, revocations cost money (but we're unlikely to lose certs...)
ClintonEbadi thinks that a Gandi wildcard certificate makes the most sense right now (easier, and providing organization information in a cert is of dubious value).
1.2. Perfect Forward Secrecy
Forward Secrecy is being advocated as a solution that offers stronger protection for private keys; evidently it is straightforward to enable with Apache.
See ticket #113.