On Mon, May 18, 2015, at 02:05, Ian Smith wrote: > > > The danger is decryption. Your username/password could be stolen if > > someone captures your traffic after successfully initiating a downgrade > > attack. > > So the danger is only to myself, from some MITM, and not to the server? > And despite the forum cert setup shown at > https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org : > > Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more > info) > > which refers to RFC 7507, https://datatracker.ietf.org/doc/rfc7507/ > which I've read, are we not trusting that mechanisn to prevent some > successful initiation of a downgrade attack - which I rather imprecisely > called "with fallback from later levels denied" above? >
This is irrelevant to this conversation. with TLS_FALLBACK_SCSV, those with strong crypto keep strong crypto. Those with weak crypto are _still_ vulnerable to their traffic being decrypted. This new mechanism does not magically make their weak crypto more secure. > > > Microsoft has nothing to do with this. They're setting a good example. > > Alright, the leopard has changed its spots; wonders will never cease. > Troll detected. If by now in your adult life you haven't recognized that you need to use the right tool for the right job -- whether that be Windows, OSX, Linux, FreeBSD, OpenBSD, NetBSD, DragonflyBSD, SmartOS, Illumos, Solaris, etc etc etc -- I can't help you. It might surprise you that some FreeBSD developers use Windows as their daily OS. Many use OSX. > > Other forums I use allow http connections, read only, only requiring > switching to https for login and thus posting, which is fair enough, > and I have almost always only read a few forum posts, but see below .. > I agree that would be reasonable, but I am not involved in the forum administration -- or cluster, for that matter. > > > Actually, that might be the reason -- Google search results. Perhaps > > Google is also logging what protocols/ciphers your HTTPS has and is > > using that in search rankings. > > You're seriously suggesting that the FreeBSD project should set security > policies to favour higher rankings from an advertising company? > If people can't search Google and find results on the first page they're going to be very, very discouraged from even trying it out. I don't think I can provide any further information about what's going on here, but I hope that I've answered some questions about why this isn't such a terrible idea. Feel free to file a bug report if you would like this followed up by those who have control over these decisions. https://bugs.freebsd.org/bugzilla/enter_bug.cgi?product=Services _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
