Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 5 Aug 2014 15:29:10 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Enforce use of HTTPS for MathJax in IPython

On 03-Aug-2014 12:19:49 -0400, Donald Stufft wrote:

 >> Simple question: who do you trust more - your ISP or site owner?
 >> Or should I ask whether you trush either of them?
 > This is a nonsensical point too. I have to trust the site owners
 > to some degree. To what degree broadly depends on what the site
 > itself does however at the very least they'll be able to see
 > what account I'm attempting to use.

Or unable to see that unless _you_ deside to log in.

Together with disabling cookies by default and wiping them on
a regular basis, that may be wise (depending of the sites you
visit, of course).

 > With enforced HTTPS and HSTS I don't have to trust my ISP.

You should either trust them or avoid signing the contract :-)

However, if you suspect them in something unpleasant, you may
enforce HTTPS on _your_ side, using it everywhere (with sites
that support it).

Also, self-signed certificates (or own CA) is safer for your
users than any third-party: when a server certificate changes
without previous notice, user may be absolutely sure something
went wrong.

 >> When a site allows anonymous access, that may be performed
 >> via HTTP. Authenticated (over HTTPS) users may (and normally
 >> should) work via HTTPS, but forcing all users to use HTTPS
 >> is "a VERY bad idea" // (q) Kurt Seifried, 2014-08-03
 > What is the downside to forcing HTTPS.

Is this a question?

Well, now I have a non-trivial answer to it: I've faced the error
"ssl_error_no_cypher_overlap" several times when trying to access
such HTTPS-only sites, and, instead of getting there "insecurely",
I was unable to get there at all.

Yes, I use modern OpenSSL version built without support for weak
algorithms.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin  gremlin  ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ