[pydotorg-www] [Infrastructure] SSL support (was: Removed wiki attack banners)
Gregory P. Smith
greg at krypto.org
Sat Sep 7 20:25:52 CEST 2013
On Sat, Sep 7, 2013 at 3:41 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> Hmm, according to SSLLabs, DHE is not used by browsers
> for wiki.python.org:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org
>
> Note that ECs are not widely supported, so using those is not
> such a good idea. Moving away from the ancient RC4 is, though,
> esp. if TLS 1.2 is available:
>
>
> https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
>
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA would be better as default
> first choice for SSL.
>
> Not sure whether this is worth fixing for the public wikis,
> but once we're starting to host things like e-voting on the
> OSL infra structure, this may become more important.
>
> Background info: DHE causes the session key to be
> negotiated between server and client without actually sending
> key data over the wire. As a result, getting at the session
> key by looking at a recorded SSL session is really hard, even
> if you know the server's private key. Without DHE, it is easily
> possible to recreate the session key, provided you know the
> server's private key and have a recording for the SSL handshake.
> That's where the term "forward secrecy" comes from - future loss
> of a private key doesn't result in all recorded SSL sessions to
> suddenly become easily decipherable.
>
Oh I wouldn't say its really worth much either at least as far as our
services go. But FWIW, Chrome and Firefox both happily support perfect
forward secrecy ciphers (DHE).
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
Google and Facebook both use it and others are sure to follow out of
embarrassment:
https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection
I agree that it does not really matter for us. Just falls into a "oh by the
way, this would be nice" category if someone configuring things wants to
spend time learning how to set it up. Make a blog post out of it if you do.
:)
-gps
>
> On 07.09.2013 08:39, Gregory P. Smith wrote:
> > Any chance we could change the default preferred ciphers?
> >
> > currently sslscan shows (complete with a misspelling):
> >
> > Prefered Server Cipher(s):
> > SSLv3 128 bits RC4-SHA
> > TLSv1 128 bits RC4-SHA
> >
> > for wiki.python.org et al?
> >
> > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to
> > do for the web.
> >
> > ie it'd be great to see:
> >
> > Prefered Server Cipher(s):
> > SSLv3 128 bits ECDHE-RSA-RC4-SHA
> > TLSv1 128 bits ECDHE-RSA-RC4-SHA
> >
> > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
> >
> > -gps
> >
> >
> >
> > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> >
> >> On 04.09.2013 22:26, M.-A. Lemburg wrote:
> >>> On 04.09.2013 22:16, M.-A. Lemburg wrote:
> >>>> On 03.09.2013 16:49, M.-A. Lemburg wrote:
> >>>>> Since the HTTPS redirect are now mostly working (there are still some
> >>>>> details to be worked out), I've removed the wiki banners about the
> >>>>> attack and instead added a section to the front pages of the Python
> >>>>> and Jython wikis.
> >>>>>
> >>>>> It's a good idea to change the passwords on the wikis now, since
> >>>>> clear text passwords are just too easy to sniff at conferences.
> >>>>
> >>>> Update: The HTTPS config changes have now been put in place and
> >>>>
> >>>> HSTS is now also enabled for the wikis:
> >>>>
> >>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> >>>>
> >>>> (allowing redirects to happen on the client side, if the browser
> >>>> supports HSTS)
> >>>
> >>> I've submitted an HSTS preload list entry request to Google for
> >>> inclusion in their list:
> >>>
> >>> https://sites.google.com/a/chromium.org/dev/sts
> >>>
> >>
> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
> >>>
> >>> Firefox bases its list on Google's, so hopefully wiki.python.org
> >>> will end up there as well in a few weeks:
> >>>
> >>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
> >>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
> >>
> >> This is added now:
> >>
> >> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
> >>
> >> It'll appear in Chrome after the usual product development
> >> cycles. Not sure how often Mozilla updates their list.
> >>
> >> Donald: You might want to add pypi.python.org to the HSTS
> >> list as well.
> >>
> >> --
> >> Marc-Andre Lemburg
> >> eGenix.com
> >>
> >> Professional Python Services directly from the Source (#1, Sep 05 2013)
> >>>>> Python Projects, Consulting and Support ... http://www.egenix.com/
> >>>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
> >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> >> ________________________________________________________________________
> >> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ...
> http://egenix.com/go48
> >> 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go
> >> 2013-09-28: PyDDF Sprint ... 23 days to go
> >>
> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> >> Registered at Amtsgericht Duesseldorf: HRB 46611
> >> http://www.egenix.com/company/contact/
> >> ________________________________________________
> >> Infrastructure mailing list
> >> Infrastructure at python.org
> >> https://mail.python.org/mailman/listinfo/infrastructure
> >> Unsubscribe:
> >>
> https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130907/2e9b5338/attachment.html>
More information about the pydotorg-www
mailing list