Forums.FreeBSD.org - SSL Issue?

Ian Smith smithi at nimnet.asn.au
Mon May 18 07:05:24 UTC 2015 

On Fri, 15 May 2015 07:51:34 -0500, Mark Felder wrote:
 > On Fri, May 15, 2015, at 03:07, Ian Smith wrote:
 > > On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
 > >  > Hello
 > >  > 
 > >  > >> But I don't think disable TLS 1.0 is ok.
 > >  > >>
 > >  > > 
 > >  > > TLS 1.0 is dead and is even now banned in new installations according to
 > >  > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported
 > >  > > by *any* HTTPS site now.
 > >  > 
 > >  > Maybe is dead but is used in many old browser / software still used.
 > >  > 
 > >  > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016.
 > >  > (new installations "in theory" should not be built on TLS 1.0).
 > >  > 
 > >  > So we have 1 year and FreeBSD forum is not e-commerce site ;)
 > > 
 > > People seem determined to make sure freebsd forums are one of the first 
 > > sites to ban TLS 1.0, as some sort of best-practice example.
 > > 
 > > I admit my knowledge of TLS issues is scant.  I'd like to know whether 
 > > allowing TLS 1.0 - with fallback from later levels denied, as it already 
 > > is - endangers the server, or only the client?  If there's a clearly 
 > > stated and immediate danger to the forum server, I can accept that, but 
 > > I'd have thought https://www and svnweb would be more at such peril? 
 > > Will there be any notice before they're denied TLS 1.0 access also?

 > The danger is decryption. Your username/password could be stolen if
 > someone captures your traffic after successfully initiating a downgrade
 > attack.

So the danger is only to myself, from some MITM, and not to the server?  
And despite the forum cert setup shown at 
https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org :

Downgrade attack prevention  	 Yes, TLS_FALLBACK_SCSV supported (more info)

which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ 
which I've read, are we not trusting that mechanisn to prevent some 
successful initiation of a downgrade attack - which I rather imprecisely 
called "with fallback from later levels denied" above?

 > You can't login to www.freebsd.org or svnweb. The most they can do is
 > see what you're browsing, which isn't private anyway.

Alright.

 > > If it's just for making the sort of point that Mark is advocating, to 
 > > force people to join this 'rolling automatic update' model so beloved of 
 > > Microsoft and their captive hardware vendors, then I think doing that, 
 > > without any sort of prior notice, is rather less than I've come to 
 > > expect from the FreeBSD project over 17 years.
 > > 
 > > But I'm a grandpa too; guess I have old-fashioned expectations :)

 > Microsoft has nothing to do with this. They're setting a good example.

Alright, the leopard has changed its spots; wonders will never cease.

 > OSX is sort-of on that train too. FreeBSD has always been ahead of the
 > curve with the ports tree being a rolling-release model. We need the
 > Linux distros to get their heads on straight now, too.

The latter should be simple enough :)

 > Just a reminder: I don't speak for the project in these matters. I'm
 > just telling you what best current practices are. I have no idea who
 > made that decision for the forums, or if it's even worth having the
 > forums on https anyway.

Other forums I use allow http connections, read only, only requiring 
switching to https for login and thus posting, which is fair enough,
and I have almost always only read a few forum posts, but see below ..

Noone has yet seen fit to even comment on the matter of no prior notice;
there is usually at least some heads-up warning, 'better upgrade now', 
before access is denied to some FreeBSD service from older browsers.

 > If it was up to me I probably wouldn't even put
 > https on the forums even though Google will penalize it in search
 > results. (Sure, you have a user account there... but it doesn't really
 > do anything... you're not using the same credentials everywhere are
 > you?)

Of course not.  And I just checked, being unsure I'd ever posted there, 
to find my password server-allocated anyway, so I must have posted once.

 > Actually, that might be the reason -- Google search results. Perhaps
 > Google is also logging what protocols/ciphers your HTTPS has and is
 > using that in search rankings.

You're seriously suggesting that the FreeBSD project should set security 
policies to favour higher rankings from an advertising company?

cheers, Ian

More information about the freebsd-security mailing list