Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 15 Aug 2013 01:11:47 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>
Subject: Re: rubygems insecure download (and other problems)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 14 Aug 2013 14:59:12 -0600
Kurt Seifried <kseifried@...hat.com> wrote:

> Problem #2:
> it redirects to  production.cf.rubygems.org which is on cloudfront so
> has certificate mismatch, so either users have to accept insecurity,
> or... well there is no second choice =(.
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org

It only does that if you use http://. If you use https://rubygems.org,
it goes through S3 directly
(https://s3.amazonaws.com/production.s3.rubygems.org/)

See this code:
https://github.com/rubygems/rubygems-aws/blob/master/chef/site-cookbooks/rubygems/templates/default/nginx_balancer.conf.erb

I do wish they would fix their cipher suite choices, though. :/

~reed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlIMjUMACgkQa6IiJvPDPVr9pACfcbDy0A0NtHZbXfLgkzahGPsU
+tMAn0g7YtbhyA7e7sGuFNudJNkKlae5
=J+1x
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.