On Saturday 21 March 2015 17:04:03 Bob Proulx wrote: > Gene Heskett wrote: > > Call me confused. And I do run my own web page from this machine. > > URL in sig. > > Genes Web page <http://geneslinuxbox.net:6309/gene> > > That is a non-https page. Do you operate any https pages requiring > security? I didn't find any. If you aren't using https then the > discussion here about the POODLE attach against https isn't relevant. > > > First, there is no ~./etc/apache2/mods-available/ssl.conf, but there > > is a /etc/apache2/mods-available/ssl.conf > > Right. > > > With relatively sparse bits of uncommenting that would appear to be > > related here: > > > > SSLCipherSuite AES128+EECDH:AES128+EDH > > SSLHonorCipherOrder on > > SSLProtocol all -SSLv2 -SSLv3 > > Header always set Strict-Transport-Security "max-age=63072000; > > include SubDomains" > > Header alway set X-Frame-Options DENY > > If you were operating an ssl site then the above would match the > current recommendations from:
I have been considering switching to https. > https://cipherli.st/ > > But as far as I can see you are not running https. Therefore > modifying those files is simply creating more work for yourself. :-( > > I will note that it is a fast changing environment. I hate to quote > static lists like that since tomorrow they may be different. Might even be different by the time we had dinner. :) > Instead > I like to point to centralized information resources like the > ssllabs.com and cipherli.st sites to coordinate the current wisdom. Best practice I believe. Better chance of everybody being on the same page that way. > > Documentation on this stuff and its interactions is sparse at best > > despite the fact that I have installed what s/b the correct man > > pages. > > For web servers most of the documentation is on the web. It is just > the nature of things. > > > Some of the above has been edited persuant to anti POODLE > > instructions found by google. > > > > So, am I safe, or low hanging fruit with those settings? > > As far as I can see you are safe since you are not operating a web > site that uses encryption to secure any pages. Therefore none of this > discussion applies to you as a web admin. > > The question here is whether a POODLE attack can allow a man in the > middle attacker to see the plaintext of an SSL connection. To > consider the danger lets say a web site requires a login, uses cookies > to maintain a session, and https to keep others from sniffing your > login credentials. A successful attack could give someone else your > cookie data which they could use to log into that site as you. No login will ever exist according to gene as I find the saving of usernames and passwords on a per site basis, a quite major pain in the ass. People who are interested in what I have to offer (a lot of horn blowing by an old fart to be sure) should not be subjected to that insanity. > But you are talking about your own site that you are maintaining. If > you are not using SSL then this simply does not apply to you. If you > are using SSL then it depends upon what, where, why, and so forth. > Someone using it just to add noise to the encrypted data traffic would > always be safe too since it wouldn't be worse than not encrypting it. > > The POODLE attack doesn't allow someone to directly break into your > web server. The attack is about listening to encrypted traffic. > Information gained by sniffing may allow further attacks however. And they can do that with much less effort if I don't use it. One of the reasons my web page is a bit incomplete in re my hobbies. So I am much more concerned with keeping visitors in a user permissions jail so they cannot tour the rest of this machine. Help in that regard would be most appreciated. > If someone were using something like SquirrelMail or Roundcube or > Mailpile for a webmail interface for example then they should be > directly concerned over this type of attack. Someone targeting them > might be able to log into the web as them and send email as them. And > the same for most other web login interfaces. (Many people are in > terror over the idea of someone logging into Facebook as them. > Research Firesheep.) I heard about that, its just one of the reasons I do not inhabit any sites of that ilk, like most I value my privacy. We all should rebel at such intrusions in exactly the same way I treated the pols, who of course excluded them selves from the National Do Not Call Act. My phone # got unlisted after some penny ante pol called wanting my vote (in a different state mind you) at 3AM. Had he been standing at the foot of my bed, he would have left zipped up in a bag. What our ballots need is a none of the above box, and if none wins, they start all over with the current list of candidates disqualified from running again in this election cycle. OTOH, I vent enough on the mailing lists that I expect my name is well recorded in Utah. Tsk Tsk. Time (as in 80 years) has already done much of what they can do to me. Thanks Bob. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201503211847.51548.ghesk...@wdtv.com
