HeartBleedAfterMath

1. Heartbleed Aftermath

Fortunately HCoop wasn't hit by the OpenSSL Heartbleed bug. However this perhaps is an opportunity for some spring clean up.

These reports do not look good:

(Warning: their analyzer may need to run, and you might need to wait a while to see the actual report.)

Here's the status of navajos: it gets an F per the above SSL Labs report, because:

Deleuze is particularly problematic, because:

Since deleuze is scheduled to be decommissioned, we might want to focus on the remaining problems.

1.1. CA Certification

Problem: Browsers do not trust HCoop's self-signed certificate. Potential members might be scared away by big honking browser warnings. We might want to get a "proper" CA-signed certificate; perhaps a wildcard one. But these tend to be fairly expensive.

These are the choices at the moment, to solve the immediate problem in an inexpensive manner:

HCoop has plenty of funds on hand, opening up two other options

ClintonEbadi thinks that a Gandi wildcard certificate makes the most sense right now (easier, and providing organization information in a cert is of dubious value).

1.2. Perfect Forward Secrecy

Forward Secrecy is being advocated as a solution that offers stronger protection for private keys; evidently it is straightforward to enable with Apache.

See ticket #113.

HeartBleedAfterMath (last edited 2014-04-19 00:32:33 by ClintonEbadi)