https://www.decadent.org.uk/ben/blog/securing-wwwdecadentorguk.html I read the above blog post. https://www.ssllabs.com/ssltest/ I tested the LUV web site with the above URL and got A-. https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and- openssl-for-forward-secrecy I followed the advice at the above URL and got B! https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what From the comments on the above blog post it seems that the only way to have PFS and not be vulnerable to other issues is to require TLS 1.2. The browser that is built in to Android (which is going to be a long-term issue as some people will use it until their phone breaks) only supports TLS 1.2 in Android 5.0 and above. The Samsung Galaxy Note 2 is currently not supported for Android 5.0 while the Galaxy Note 3 is. The Note 2 is still quite a decent phone. https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browse... The above page has TLS/SSL support of various browsers. If we require TLS 1.2 we exclude: The default Android browser before Android 5.0. Admittedly that browser always sucked badly and probably has lots of other security issues. Chrome versions before 30 didn't support it. But version 30 was released in 2013 and Google does a good job of forcing upgrades. A Debian/Wheezy system I run is now displaying warnings from the google-chrome package saying that Wheezy is too old and won't be supported for long! Firefox before version 27 didn't support it (the Wikipedia page is unclear about versions 27-31). 27 was released in 2014. Debian/Wheezy has version 38, Debian/Squeeze has Iceweasel 3.5.16 which doesn't support it. Would it be reasonable to assume that anyone who's still using Squeeze is using it for a server? IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem? Windows mobile doesn't have enough users to care about. Opera supports it from version 17. This is noteworthy because Opera used to be good for devices running older versions of Android that aren't supported by Chrome. Safari supported it from iOS version 5, I think that's a solved problem there. Is breaking support for Debian/Squeeze, the built in Android browser on Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web browsing platform a reasonable trade-off for implementing the best SSL security features? For the LUV server as a stand-alone issue the answer would be no as the only really secret data there is accessed via ssh. For a general web infrastructure issue it seems that the answer might be yes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
Did you not see my post? Not sure if my config that got A+ will suit for luv.asn.au requirements.
https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-wh at
rc4
is being removed from browsers, I think current Firefox 44 doesn't include it.
IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem?
Who cares about IE and Edge? I won't use those browsers except as an absolute last resort.
Windows mobile doesn't have enough users to care about.
Again, who cares?
Is breaking support for Debian/Squeeze, the built in Android browser on Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web browsing platform a reasonable trade-off for implementing the best SSL security features?
You care about squeeze? I wouldn't be worried about that either. - Jessie - Wheezey - Squeeze LTS Using that LTS is almost a last resort now, for servers that you can't easily upgrade and need to keep running. Anything less that Squeeze LTS, well, that would be as bad as XP is today (perhaps not quite, but still). I won't do much on a mobile browser when most things can wait for a desktop browser and I can lock down a desktop browser much more and have it operate much more securely. Heck, I don't really trust the security of ANY mobile device these days and use select apps that give me the best confidence; but the platforms don't seem secure enough for me -- especially if people are running stock ROMs ... manufacturers like Samsung don't care enough about porting patches to older phones and there is a vast majority of insecure Android devices as a result. Cheers A. -----BEGIN PGP SIGNATURE----- iF4EAREIAAYFAlas4ncACgkQqBZry7fv4vuarQD9EMZOv41dOXNu1jRMCWU4U+Ox tAJwIi5l4SJhaRsutpcA/1BULGCWqA5qHOWECPXNoHIEkM41r4c2ihMMigLL51+O =pC99 -----END PGP SIGNATURE-----
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote:
On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem?
Who cares about IE and Edge? I won't use those browsers except as an absolute last resort.
You and I wouldn't use them except as a last resort, but some newcomers to Linux who want to join Luv might. Ultimately, this is not a matter of our preferences but of ensuring that people who visit the Web site via TLS can use it.
Windows mobile doesn't have enough users to care about.
Again, who cares?
The said users care.
I won't do much on a mobile browser when most things can wait for a desktop browser and I can lock down a desktop browser much more and have it operate much more securely.
Your preferences aren't universal. Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message.
On 31/01/2016 4:03 AM, Jason White via luv-main wrote:
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote: Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message.
All good and fair comments, but anyone whom lets people continue to use IE and/or Windows XP..... well. They WILL have to change sooner or later and the sooner the better. LUV won't be the only driving factor, it is, but one. Cheers A.
It always a fine balance between supportability and security. But I find an excellent resource for deciding what ciphers i should support, Cloudflare post up their Nginx SSL Configuration publically on Github and update this whenever they change. Might be worth a look. https://github.com/cloudflare/sslconfig/blob/master/conf <https://github.com/cloudflare/sslconfig/blob/master/conf> Cheers, Fraser
On 31/01/2016, at 4:11 am, Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote:
On 31/01/2016 4:03 AM, Jason White via luv-main wrote:
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote: Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message.
All good and fair comments, but anyone whom lets people continue to use IE and/or Windows XP..... well. They WILL have to change sooner or later and the sooner the better. LUV won't be the only driving factor, it is, but one.
Cheers A.
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On 31/01/2016 10:48 PM, Fraser McGlinn via luv-main wrote:
It always a fine balance between supportability and security. But I find an excellent resource for deciding what ciphers i should support, Cloudflare post up their Nginx SSL Configuration publically on Github and update this whenever they change. Might be worth a look.
That looks very, very light on...... This is mine: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA And this is their's right now: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; Cheers A.
Fraser McGlinn via luv-main <luv-main@luv.asn.au> wrote:
It always a fine balance between supportability and security. But I find an excellent resource for deciding what ciphers i should support, Cloudflare post up their Nginx SSL Configuration publically on Github and update this whenever they change. Might be worth a look.
https://github.com/cloudflare/sslconfig/blob/master/conf <https://github.com/cloudflare/sslconfig/blob/master/conf>
Thanks - that's very useful. I note a preference for elliptic curve cryptography (ECDH).
On Sun, Jan 31, 2016 at 04:11:44AM +1100, Andrew McGlashan wrote:
All good and fair comments, but anyone whom lets people continue to use IE and/or Windows XP..... well.
yes, it's simply intolerable. they shoud be rounded up and sent to re-education camps. apply the electrodes until they learn the error of their ways, then send them home gibbering with an ubuntu install disk. btw, that should be a "who" not a "whom".
They WILL have to change sooner or later and the sooner the better.
many are still "happily" using XP (i.e. they don't know any better) - as the recent virus fiasco at RMH shows. workstations across the entire hospital, from pharmacy to the wards taken out by really ancient XP viruses. I know, i've been stuck in here for much of it. some sections (fortunately, the transplant clinic was one) had upgraded to win7 but many were still running XP. in fact, the health workers don't CARE what they use, it's not their job to care, or know - they just need access to their patients' records and blood test results and x-rays etc while they've got the patient in the room, or during reviews with other doctors. They've got more important things to do than worry about the trivial details of the computers they're using. this will probably be the wake-up call that hospital management needed, but many people and organisations just ignore computer security because upgrading hundreds or thousands of desktop machines is time-consuming and expensive. simply telling them "Use Linux" doesn't and won't work. They can't buy it off the shelf, it doesn't come with a recognisabe brand-name, and they just don't have the time or the inclination to find out what it's about or why it might save them from future virus problems. and from the bean-counting management POV, IT is an expense, to be minimised....so underfunded, and understaffed. craig -- craig sanders <cas@taz.net.au> BOFH excuse #318: Your EMAIL is now being delivered by the USPS.
On Tue, 2 Feb 2016 11:05:26 AM Craig Sanders via luv-main wrote:
They WILL have to change sooner or later and the sooner the better.
many are still "happily" using XP (i.e. they don't know any better) - as the recent virus fiasco at RMH shows. workstations across the entire hospital, from pharmacy to the wards taken out by really ancient XP viruses. I know, i've been stuck in here for much of it. some sections (fortunately, the transplant clinic was one) had upgraded to win7 but many were still running XP.
If you try to access a hobby web site at work and can't access the site then access it from home. There are lots of reasons why corporate systems can't access random web sites ranging from web filters (which sometimes misfire but no-one requests whitelisting) to a variety of misconfigurations (blocking ICMP and similar things). Also the LUV server has had IPv6 enabled for a while and I have already noticed problems for one user. A member of this list has their mail server configured to do callbacks but is not correctly configured for IPv6. So they have been rejecting mail from the LUV list because their anti-spam measure isn't working with any site that advertises an AAAA record. One could argue that I should remove AAAA records to deal with that sort of problem (and all the other IPv6 problems that people might have). But I think that IPv6 is necessary and inevitable. Implementing it on the LUV server is a service for LUV members as it provides an IPv6 test bed and I sent a personal email to the person with the mailing list problem explaining it to them so they can fix their issue - they will never get email from a Google sysadmin about problems talking to Google Groups. I don't know if the LUV site even works on Windows XP. There are many potential ways in which it might break and I never test with Windows. If someone on this list would like to test the site with various versions of Windows I'd be interested to see the results. I won't commit to fixing such issues but we can definitely have a discussion about the pros and cons of various configuration options. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 2 February 2016 at 13:17, Russell Coker via luv-main <luv-main@luv.asn.au
wrote:
I don't know if the LUV site even works on Windows XP. There are many potential ways in which it might break and I never test with Windows. If someone on this list would like to test the site with various versions of Windows I'd be interested to see the results. I won't commit to fixing such issues but we can definitely have a discussion about the pros and cons of various configuration options.
I just did some quick tests with my work laptop (Win 10 64bit) and a unit waiting deployment (WIn 7 64bit) and all rendered OK. Here's a series of screen grabs, hope you can access them via my gmail account Google Photos. Chrome 48, Win 10 64bit - https://goo.gl/photos/guRs2v7nW91xCXho6 Firefox 38.6.0, Win 10 64bit - https://goo.gl/photos/UDoHTWz86e1aBdyd8 MS Edge 25.10586, Win 10 64bit - https://goo.gl/photos/NbVL9TDa66kXQty57 Chrome 48, Win 7 64bit - https://goo.gl/photos/jDUR6uCnJL2DxU5H6 IE11 11.0.9600, Win 7 64bit - https://goo.gl/photos/CAneCrxc8fZfoGHd6 Not sure I've got an XP box or vm handy to test with. -- Colin Fee tfeccles@gmail.com
On 2/02/2016 1:17 PM, Russell Coker via luv-main wrote:
Also the LUV server has had IPv6 enabled for a while and I have already noticed problems for one user. A member of this list has their mail server configured to do callbacks but is not correctly configured for IPv6. So they have been rejecting mail from the LUV list because their anti-spam measure isn't working with any site that advertises an AAAA record. One could argue that I should remove AAAA records to deal with that sort of problem (and all the other IPv6 problems that people might have). But I think that IPv6 is necessary and inevitable. Implementing it on the LUV server is a service for LUV members as it provides an IPv6 test bed and I sent a personal email to the person with the mailing list problem explaining it to them so they can fix their issue - they will never get email from a Google sysadmin about problems talking to Google Groups.
I agree, IPv6 is here, and it's not LUV's job to make their servers work with broken IPv6 systems. It's up to those with broken systems to fix them.
I don't know if the LUV site even works on Windows XP. There are many potential ways in which it might break and I never test with Windows. If someone on this list would like to test the site with various versions of Windows I'd be interested to see the results. I won't commit to fixing such issues but we can definitely have a discussion about the pros and cons of various configuration options.
I've only tried on Windows 7 (with Firefox), and it seemed to work fine.
-- 73 de Tony VK3JED/VK3IRL http://vkradio.com
Tony Langdon via luv-main <luv-main@luv.asn.au> wrote:
I agree, IPv6 is here, and it's not LUV's job to make their servers work with broken IPv6 systems. It's up to those with broken systems to fix them.
Yes it is, otherwise IPv6 migration wouldn't continue. My phone carrier and cable provider both supply IPv6 dual-stack.
On 3/02/2016 10:37 AM, Jason White via luv-main wrote:
Tony Langdon via luv-main <luv-main@luv.asn.au> wrote:
I agree, IPv6 is here, and it's not LUV's job to make their servers work with broken IPv6 systems. It's up to those with broken systems to fix them.
Yes it is, otherwise IPv6 migration wouldn't continue.
My phone carrier and cable provider both supply IPv6 dual-stack.
I run native IPv6 on ADSL here, have been native dual stack since 2011, and had run tunnels on and off since about 2000. I'm not aware of having any mobile IPv6 capability yet. -- 73 de Tony VK3JED/VK3IRL http://vkradio.com
On 03/02/16 14:25, Tony Langdon via luv-main wrote:
On 3/02/2016 10:37 AM, Jason White via luv-main wrote:
Tony Langdon via luv-main <luv-main@luv.asn.au> wrote:
I agree, IPv6 is here, and it's not LUV's job to make their servers work with broken IPv6 systems. It's up to those with broken systems to fix them.
Yes it is, otherwise IPv6 migration wouldn't continue.
My phone carrier and cable provider both supply IPv6 dual-stack.
I run native IPv6 on ADSL here, have been native dual stack since 2011, and had run tunnels on and off since about 2000. I'm not aware of having any mobile IPv6 capability yet.
I've had native v6 on Telstra 3G & LTE for several years now, most LTE carriers in large markets also have native v6. Sometimes dual stack, sometimes native with v4 only via translation like 464XLAT.
Julien Goodwin via luv-main <luv-main@luv.asn.au> writes:
I've had native v6 on Telstra 3G & LTE for several years now, most LTE carriers in large markets also have native v6.
How do you get this working? As per an another thread I created here several weeks ago, I see Router Advertisements from Telstra which configures IPv6 over 3G/4G/LTE/whatever you call it, but then I have to manually disable it, because packets appear to go into a black hole with no response. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
On Tue, 2 Feb 2016 01:17:19 PM Russell Coker via luv-main wrote:
If you try to access a hobby web site at work and can't access the site then access it from home. There are lots of reasons why corporate systems can't access random web sites ranging from web filters (which sometimes misfire but no-one requests whitelisting) to a variety of misconfigurations (blocking ICMP and similar things).
http://etbe.coker.com.au/2016/02/02/compatibility-community-server/ After reading a comment on my blog post I adopted the Mozilla recommendations. Now the LUV site gets an "A" rating and hardly anyone will be excluded. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Sun, 31 Jan 2016 04:03:53 AM Jason White via luv-main wrote:
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote:
On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem?
Who cares about IE and Edge? I won't use those browsers except as an absolute last resort.
You and I wouldn't use them except as a last resort, but some newcomers to Linux who want to join Luv might. Ultimately, this is not a matter of our preferences but of ensuring that people who visit the Web site via TLS can use it.
I agree, but will people who attend our meetings be using them?
Windows mobile doesn't have enough users to care about.
Again, who cares?
The said users care.
The number of iPhone users at LUV meetings seems a lot lower than the general population. People who use Windows phone are demonstrating a committment to MS that's much greater than average, unlike iPhone the Windows phone has little going for it. Will we have a user of an old Windows phone attending our meeting and if so will they actually expect things to work on a Windows phone?
I won't do much on a mobile browser when most things can wait for a desktop browser and I can lock down a desktop browser much more and have it operate much more securely.
Your preferences aren't universal.
Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message.
True. But eventually they need to upgrade and other web sites are going to demand string connections too. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Russell Coker <russell@coker.com.au> wrote:
The number of iPhone users at LUV meetings seems a lot lower than the general population. People who use Windows phone are demonstrating a committment to MS that's much greater than average, unlike iPhone the Windows phone has little going for it.
All true. It's also worth noting that iPhone users are more likely than average to keep their operating system up to date. Linux users, I suspect, are even more likely to keep their operating systems up to date, even if only for security reasons.
On 31/01/2016 4:03 AM, Jason White via luv-main wrote:
Andrew McGlashan via luv-main <luv-main@luv.asn.au> wrote:
On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem? Who cares about IE and Edge? I won't use those browsers except as an absolute last resort. You and I wouldn't use them except as a last resort, but some newcomers to Linux who want to join Luv might. Ultimately, this is not a matter of our preferences but of ensuring that people who visit the Web site via TLS can use it.
Windows mobile doesn't have enough users to care about. Again, who cares?
The said users care.
I won't do much on a mobile browser when most things can wait for a desktop browser and I can lock down a desktop browser much more and have it operate much more securely.
Your preferences aren't universal.
Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message.
I agree with Jason here. Bringing people toward best practices should be by education and encouragement, not by blunt instrument. The latter approach only reinforces the stereotypes of computer nerds and grumpy old grey beards, who should be given a wide berth lest they happen to look in your direction, and end up banging on about their favourite topic for hours on end. Regards, Morrie.
On Sun, 31 Jan 2016 12:56:20 PM Morrie Wyatt via luv-main wrote:
I agree with Jason here. Bringing people toward best practices should be by education and encouragement, not by blunt instrument.
I agree, if a prospective users first attempt to find out about Linux results in "I wanted to learn about it, but their website doesn't work" then nobody wins. All the best, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
FWIW XP using Firefox 44 works with my letsencrypt apache2 setup; didn't try IE -- the XP machine I have access to is being used with as little software installed as possible. So, XP, in itself (SP3 installed), is not a problem with a modern browser for SSL setup. A.
Andrew McGlashan via luv-main <luv-main@luv.asn.au> writes:
- Squeeze LTS
Squeeze LTS will stop being supported very soon. February 2016 according to https://wiki.debian.org/LTS Then it will be Wheezy LTS. My understanding is that the LTS releases are used more for servers not running X, then desktops, so the chances of somebody using a browser on Wheezy LTS to connect to LUV I think are low. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
participants (11)
-
Andrew McGlashan -
Brian May -
Chris Samuel -
Colin Fee -
Craig Sanders -
Fraser McGlinn -
Jason White -
Julien Goodwin -
Morrie Wyatt -
Russell Coker -
Tony Langdon