war59312's picture

Hi,

Please Improve Security Of hub.turnkeylinux.org

See security report @ https://www.ssllabs.com/ssltest/analyze.html?d=hub.turnkeylinux.org

Ouch, A "C".

SSL 3, are you serious!! Ugh!

Please enable TLS 1.2 only.

Drop the weak RC4 keys.

Enable Robust Forward Secrecy.

And please enable Strict Transport Security (HSTS).

Thanks,

Will

Forum: 
Jeremy Davis's picture

I acknowledge that we need to update things to conform to "best practice". But be clear this does not make the site vulnerable. It makes the site POTENTIALLY vulnerable; but NOT immediately or necessarily vulnerable... For an attacker to get any traction with this potential vulnerability requires a very specific scenario:
  • A new SSLv3 vulnerability must be discovered
  • A user must be using an old web browser (most current web browsers do not allow SSLv3 anymore anyway)
  • The attacker must be targeting the user at the time that they access the Hub
To reiterate; I am not suggesting that the current situation is ideal and we do intend to update it. But the system is not immediately vulnerable. So long as users use an up to date browser then the risk of anything bad happening is incredibly low...

Also be aware that the Hub does not handle money or credit card details; obviously it's still not ideal, but it's not like your credit card could be stolen...

Add new comment