Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140805112910.GD29958@gremlin.ru>
Date: Tue, 5 Aug 2014 15:29:10 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Enforce use of HTTPS for MathJax in IPython

On 03-Aug-2014 12:19:49 -0400, Donald Stufft wrote:

 >> Simple question: who do you trust more - your ISP or site owner?
 >> Or should I ask whether you trush either of them?
 > This is a nonsensical point too. I have to trust the site owners
 > to some degree. To what degree broadly depends on what the site
 > itself does however at the very least they'll be able to see
 > what account I'm attempting to use.

Or unable to see that unless _you_ deside to log in.

Together with disabling cookies by default and wiping them on
a regular basis, that may be wise (depending of the sites you
visit, of course).

 > With enforced HTTPS and HSTS I don't have to trust my ISP.

You should either trust them or avoid signing the contract :-)

However, if you suspect them in something unpleasant, you may
enforce HTTPS on _your_ side, using it everywhere (with sites
that support it).

Also, self-signed certificates (or own CA) is safer for your
users than any third-party: when a server certificate changes
without previous notice, user may be absolutely sure something
went wrong.

 >> When a site allows anonymous access, that may be performed
 >> via HTTP. Authenticated (over HTTPS) users may (and normally
 >> should) work via HTTPS, but forcing all users to use HTTPS
 >> is "a VERY bad idea" // (q) Kurt Seifried, 2014-08-03
 > What is the downside to forcing HTTPS.

Is this a question?

Well, now I have a non-trivial answer to it: I've faced the error
"ssl_error_no_cypher_overlap" several times when trying to access
such HTTPS-only sites, and, instead of getting there "insecurely",
I was unable to get there at all.

Yes, I use modern OpenSSL version built without support for weak
algorithms.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.