welcome: please sign in

Diff for "HeartBleedAfterMath"

Differences between revisions 2 and 7 (spanning 5 versions)
Revision 2 as of 2014-04-18 13:40:24
Size: 2108
Editor: Sajith
Comment:
Revision 7 as of 2014-04-18 17:13:33
Size: 2604
Editor: ClintonEbadi
Comment: navajos is less bad than it seems, deleuze is really as bad as it seems
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:
 * Server's certificate is not trusted. Grade set to F.  * Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it gets a C.
Line 20: Line 20:
 * Server's certificate is not trusted. Grade set to F.
 * Server supports SSL 2, which is obsolete and insecure. Grade set to F.
 * Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it still gets an F.
 * --(Server supports SSL 2, which is obsolete and insecure. Grade set to F.--) ''Fixed''
Line 30: Line 30:
== CA Certification == 

== CA Certification ==
Line 38: Line 40:


== Perfect Forward Secrecy ==

[[http://en.wikipedia.org/wiki/Forward_secrecy|Forward Secrecy]] is being advocated as a solution that offers stronger protection for private keys; evidently it is [[https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite|straightforward to enable with Apache]].

See [[https://bugzilla.hcoop.net/show_bug.cgi?id=1113|ticket #113]].

1. Heartbleed Aftermath

Fortunately HCoop wasn't hit by the OpenSSL Heartbleed bug. However this perhaps is an opportunity for some spring clean up.

These reports do not look good:

(Warning: their analyzer may need to run, and you might need to wait a while to see the actual report.)

Here's the status of navajos: it gets an F per the above SSL Labs report, because:

  • Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it gets a C.
  • Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
  • Server does not support Forward Secrecy with the reference browsers.

Deleuze is particularly problematic, because:

  • Server's certificate is not trusted. Grade set to F. Ignoring certificate problems, it still gets an F.
  • Server supports SSL 2, which is obsolete and insecure. Grade set to F.--) Fixed

  • Server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
  • Server does not mitigate the CRIME attack. Grade capped to B.
  • Server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
  • There is no support for secure renegotiation.
  • Server does not support Forward Secrecy with the reference browsers.

Since deleuze is scheduled to be decommissioned, we might want to focus on the remaining problems.

1.1. CA Certification

Problem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive.

These are the choices at the moment, to solve the immediate problem in an inexpensive manner:

  • Gandi offers one-year free CA certificate with domain registrations.

  • StartSSL offers free CA certificates, but charges $25 for revocations.

1.2. Perfect Forward Secrecy

Forward Secrecy is being advocated as a solution that offers stronger protection for private keys; evidently it is straightforward to enable with Apache.

See ticket #113.

HeartBleedAfterMath (last edited 2014-04-19 00:32:33 by ClintonEbadi)