[pydotorg-www] [Infrastructure] SSL support (was: Removed wiki attack banners)

M.-A. Lemburg mal at egenix.com
Sat Sep 7 12:41:31 CEST 2013 

Hmm, according to SSLLabs, DHE is not used by browsers
for wiki.python.org:

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org

Note that ECs are not widely supported, so using those is not
such a good idea. Moving away from the ancient RC4 is, though,
esp. if TLS 1.2 is available:

https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

TLS_DHE_RSA_WITH_AES_256_CBC_SHA would be better as default
first choice for SSL.

Not sure whether this is worth fixing for the public wikis,
but once we're starting to host things like e-voting on the
OSL infra structure, this may become more important.

Background info: DHE causes the session key to be
negotiated between server and client without actually sending
key data over the wire. As a result, getting at the session
key by looking at a recorded SSL session is really hard, even
if you know the server's private key. Without DHE, it is easily
possible to recreate the session key, provided you know the
server's private key and have a recording for the SSL handshake.
That's where the term "forward secrecy" comes from - future loss
of a private key doesn't result in all recorded SSL sessions to
suddenly become easily decipherable.


On 07.09.2013 08:39, Gregory P. Smith wrote:
> Any chance we could change the default preferred ciphers?
> 
> currently sslscan shows (complete with a misspelling):
> 
>   Prefered Server Cipher(s):
>     SSLv3  128 bits  RC4-SHA
>     TLSv1  128 bits  RC4-SHA
> 
> for wiki.python.org et al?
> 
> Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to
> do for the web.
> 
> ie it'd be great to see:
> 
>   Prefered Server Cipher(s):
>     SSLv3  128 bits  ECDHE-RSA-RC4-SHA
>     TLSv1  128 bits  ECDHE-RSA-RC4-SHA
> 
> http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
> 
> -gps
> 
> 
> 
> On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> 
>> On 04.09.2013 22:26, M.-A. Lemburg wrote:
>>> On 04.09.2013 22:16, M.-A. Lemburg wrote:
>>>> On 03.09.2013 16:49, M.-A. Lemburg wrote:
>>>>> Since the HTTPS redirect are now mostly working (there are still some
>>>>> details to be worked out), I've removed the wiki banners about the
>>>>> attack and instead added a section to the front pages of the Python
>>>>> and Jython wikis.
>>>>>
>>>>> It's a good idea to change the passwords on the wikis now, since
>>>>> clear text passwords are just too easy to sniff at conferences.
>>>>
>>>> Update: The HTTPS config changes have now been put in place and
>>>>
>>>> HSTS is now also enabled for the wikis:
>>>>
>>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>>>>
>>>> (allowing redirects to happen on the client side, if the browser
>>>> supports HSTS)
>>>
>>> I've submitted an HSTS preload list entry request to Google for
>>> inclusion in their list:
>>>
>>> https://sites.google.com/a/chromium.org/dev/sts
>>>
>> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
>>>
>>> Firefox bases its list on Google's, so hopefully wiki.python.org
>>> will end up there as well in a few weeks:
>>>
>>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
>>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
>>
>> This is added now:
>>
>> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
>>
>> It'll appear in Chrome after the usual product development
>> cycles. Not sure how often Mozilla updates their list.
>>
>> Donald: You might want to add pypi.python.org to the HSTS
>> list as well.
>>
>> --
>> Marc-Andre Lemburg
>> eGenix.com
>>
>> Professional Python Services directly from the Source  (#1, Sep 05 2013)
>>>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>> ________________________________________________________________________
>> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ...  http://egenix.com/go48
>> 2013-09-20: PyCon UK 2013, Coventry, UK ...                15 days to go
>> 2013-09-28: PyDDF Sprint ...                               23 days to go
>>
>>    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>            Registered at Amtsgericht Duesseldorf: HRB 46611
>>                http://www.egenix.com/company/contact/
>> ________________________________________________
>> Infrastructure mailing list
>> Infrastructure at python.org
>> https://mail.python.org/mailman/listinfo/infrastructure
>> Unsubscribe:
>> https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org
>>
>

More information about the pydotorg-www mailing list