Announcement

Collapse
No announcement yet.

Time to improve the site security?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Time to improve the site security?

    Hi,

    A quick check on SSL Labs shows that vBulletin.com is currently vulnerable to Beast, DDoS and MITM attacks. To protect the site identity, I've ran the statistics in hidden mode.
    Floren Munteanu
    Axivo Inc.
    Axivo Searchlight - Turbocharge your web site

  • #2
    Indeed the Security/Anti fraud system within Opera states that this site is insecure and not to use it to transmit sensitive information.

    Comment


    • #3
      Originally posted by AdrianH View Post
      Indeed the Security/Anti fraud system within Opera states that this site is insecure and not to use it to transmit sensitive information.
      That just means that content is loaded from both http as https. Nothing more.
      I buy 420 forums

      Comment


      • #4
        I haven't used Opera in some time, but I recall it complaining about this server's lack of the renegotiation extension and due to that, assuming the software may be "old and insecure".

        Doesn't hold much water IMO. Same goes for BEAST since apparently even PayPal is "vulnerable" to it.
        - Maurice Workin' in the Jira mine, goin' down, down, down

        Comment


        • #5
          Originally posted by Maurd View Post
          Same goes for BEAST since apparently even PayPal is "vulnerable" to it.
          And DDoS also, LOL. I see that some of their servers software is getting updated... Better late than never. Google are clean, though... on top of that they use EC.
          Floren Munteanu
          Axivo Inc.
          Axivo Searchlight - Turbocharge your web site

          Comment


          • #6
            I'll bring these up at the weekly support meeting but we don't have complete control over our servers. They are managed and maintained by Internet Brand's Networking and Unix departments.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
            vBulletin 5 Documentation - Updated every Friday. Report issues here.
            vBulletin 5 API - Full / Mobile
            I am not currently available for vB Messenger Chats.

            Comment


            • #7
              Thanks Wayne, much appreciated.
              We use the same setup present on Google secure servers. The Axivo score is a little better because we enabled support for TLS 1.1/1.2 and added few extra ciphers.

              For those not familiar with BEAST, this is how easy it is to gain control over your Paypal account:



              The video was made by 2 security experts, in order to make the technical audience react to the dangers of insecure SSL setups in both client and server sides.
              Last edited by TECK; Sat 19th May '12, 7:48pm.
              Floren Munteanu
              Axivo Inc.
              Axivo Searchlight - Turbocharge your web site

              Comment


              • #8
                We have an uncommon SSL set-up here (which is why vB has problems with it). The SSL requests dont actually terminate on the server.
                Baby, I was born this way

                Comment


                • #9
                  Originally posted by TECK View Post
                  And DDoS also, LOL. I see that some of their servers software is getting updated... Better late than never. Google are clean, though... on top of that they use EC.
                  Yup.

                  BTW, thank you for posting this. I like little tools like those. https://www.ssllabs.com/ssltest/anal...hideResults=on
                  - Maurice Workin' in the Jira mine, goin' down, down, down

                  Comment


                  • #10
                    Originally posted by Maurd View Post
                    BTW, thank you for posting this. I like little tools like those. https://www.ssllabs.com/ssltest/anal...hideResults=on
                    I like that you filter the ciphers list. I would also disable the Strict Transport Security.
                    And switch to EC ciphers, they are faster and more secure.

                    If you run on Redhat/CentOS, use the Axivo rpm's. I have enabled the Google 64bits optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange. Axivo is the only repository offering OpenSSL compiled with Google's EC enhancements. As far as I know, only Axivo, Google and a client of mines run the optimized EC in production websites. Not even Facebook has it implemented.

                    This basically protects a https-secured session from being retroactively decrypted, according to Adam Langley, a member of the Google security team. So if a bad guy will attempt to decrypt SSL sessions he had recorded, he would be unable to do so. Compared to previous RSA tests on OpenSSL 1.0.1c, the atomic elliptic curve operations are up to 4 times faster and the implementation is immune to timing attacks.

                    Another plus for Axivo rpm's is the OpenSSL SCTP support. It is technically impossible to compile SCTP into OpenSSL with the libraries available in either 5 or 6 distro releases. Yet, we offer it to everyone.
                    Last edited by TECK; Sat 19th May '12, 7:49pm.
                    Floren Munteanu
                    Axivo Inc.
                    Axivo Searchlight - Turbocharge your web site

                    Comment


                    • #11
                      Originally posted by TECK View Post
                      Switch to EC, faster and more secure.

                      If you run on Redhat, use the Axivo rpm's. I have enabled the Google 64bits optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange. As far as I know, only Axivo, Google and a client of mines run the optimized EC in production. Not even Facebook has it implemented.

                      Compared to previous RSA tests on OpenSSL 1.0.1c, the atomic elliptic curve operations are up to 4 times faster. The implementation is immune to timing attacks.
                      Ubuntu 10.04. I moved away from the RHEL/CentOS scene about a year ago.
                      - Maurice Workin' in the Jira mine, goin' down, down, down

                      Comment


                      • #12
                        You can still use EC as is enabled into Ubuntu packages, although is not as fast as Google's optimized EC. I see you run Apache, use the ECDHE-RSA-RC4-SHA:RC4-SHA ciphers with SSLHonorCipherOrder on (Apache 2.3.3+).

                        The server overhead is higher with regular EC and Google optimized 64bits EC, compared to RSA:
                        (DHE is a real disaster for performance)



                        Still, I would rather have a bit of stress on server and run everything secure.
                        With Google EC, the keys exchange is 4 times faster compared to regular EC.

                        Originally posted by Maurd View Post
                        I moved away from the RHEL/CentOS scene about a year ago.
                        That is because you did not know about Axivo. Switch back to CentOS.
                        And for the love of God, please use Nginx.
                        Last edited by TECK; Sun 20th May '12, 9:57am.
                        Floren Munteanu
                        Axivo Inc.
                        Axivo Searchlight - Turbocharge your web site

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X