Forums.FreeBSD.org - SSL Issue?

Mark Felder feld at FreeBSD.org
Mon May 18 13:42:57 UTC 2015 


On Mon, May 18, 2015, at 02:05, Ian Smith wrote:
> 
>  > The danger is decryption. Your username/password could be stolen if
>  > someone captures your traffic after successfully initiating a downgrade
>  > attack.
> 
> So the danger is only to myself, from some MITM, and not to the server?  
> And despite the forum cert setup shown at 
> https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org :
> 
> Downgrade attack prevention      Yes, TLS_FALLBACK_SCSV supported (more
> info)
> 
> which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ 
> which I've read, are we not trusting that mechanisn to prevent some 
> successful initiation of a downgrade attack - which I rather imprecisely 
> called "with fallback from later levels denied" above?
> 

This is irrelevant to this conversation. with TLS_FALLBACK_SCSV, those
with strong crypto keep strong crypto. Those with weak crypto are
_still_ vulnerable to their traffic being decrypted. This new mechanism
does not magically make their weak crypto more secure.

> 
>  > Microsoft has nothing to do with this. They're setting a good example.
> 
> Alright, the leopard has changed its spots; wonders will never cease.
> 

Troll detected.

If by now in your adult life you haven't recognized that you need to use
the right tool for the right job -- whether that be Windows, OSX, Linux,
FreeBSD, OpenBSD, NetBSD, DragonflyBSD, SmartOS, Illumos, Solaris, etc
etc etc -- I can't help you.

It might surprise you that some FreeBSD developers use Windows as their
daily OS. Many use OSX.

> 
> Other forums I use allow http connections, read only, only requiring 
> switching to https for login and thus posting, which is fair enough,
> and I have almost always only read a few forum posts, but see below ..
> 

I agree that would be reasonable, but I am not involved in the forum
administration -- or cluster, for that matter.

> 
>  > Actually, that might be the reason -- Google search results. Perhaps
>  > Google is also logging what protocols/ciphers your HTTPS has and is
>  > using that in search rankings.
> 
> You're seriously suggesting that the FreeBSD project should set security 
> policies to favour higher rankings from an advertising company?
> 

If people can't search Google and find results on the first page they're
going to be very, very discouraged from even trying it out.

I don't think I can provide any further information about what's going
on here, but I hope that I've answered some questions about why this
isn't such a terrible idea. Feel free to file a bug report if you would
like this followed up by those who have control over these decisions.

https://bugs.freebsd.org/bugzilla/enter_bug.cgi?product=Services

More information about the freebsd-security mailing list