Announcement

Collapse
No announcement yet.

Time to improve the site security?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TECK
    replied
    You can still use EC as is enabled into Ubuntu packages, although is not as fast as Google's optimized EC. I see you run Apache, use the ECDHE-RSA-RC4-SHA:RC4-SHA ciphers with SSLHonorCipherOrder on (Apache 2.3.3+).

    The server overhead is higher with regular EC and Google optimized 64bits EC, compared to RSA:
    (DHE is a real disaster for performance)



    Still, I would rather have a bit of stress on server and run everything secure.
    With Google EC, the keys exchange is 4 times faster compared to regular EC.

    Originally posted by Maurd View Post
    I moved away from the RHEL/CentOS scene about a year ago.
    That is because you did not know about Axivo. Switch back to CentOS.
    And for the love of God, please use Nginx.
    Last edited by TECK; Sun 20th May '12, 10:57am.

    Leave a comment:


  • Maurd
    replied
    Originally posted by TECK View Post
    Switch to EC, faster and more secure.

    If you run on Redhat, use the Axivo rpm's. I have enabled the Google 64bits optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange. As far as I know, only Axivo, Google and a client of mines run the optimized EC in production. Not even Facebook has it implemented.

    Compared to previous RSA tests on OpenSSL 1.0.1c, the atomic elliptic curve operations are up to 4 times faster. The implementation is immune to timing attacks.
    Ubuntu 10.04. I moved away from the RHEL/CentOS scene about a year ago.

    Leave a comment:


  • TECK
    replied
    Originally posted by Maurd View Post
    BTW, thank you for posting this. I like little tools like those. https://www.ssllabs.com/ssltest/anal...hideResults=on
    I like that you filter the ciphers list. I would also disable the Strict Transport Security.
    And switch to EC ciphers, they are faster and more secure.

    If you run on Redhat/CentOS, use the Axivo rpm's. I have enabled the Google 64bits optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange. Axivo is the only repository offering OpenSSL compiled with Google's EC enhancements. As far as I know, only Axivo, Google and a client of mines run the optimized EC in production websites. Not even Facebook has it implemented.

    This basically protects a https-secured session from being retroactively decrypted, according to Adam Langley, a member of the Google security team. So if a bad guy will attempt to decrypt SSL sessions he had recorded, he would be unable to do so. Compared to previous RSA tests on OpenSSL 1.0.1c, the atomic elliptic curve operations are up to 4 times faster and the implementation is immune to timing attacks.

    Another plus for Axivo rpm's is the OpenSSL SCTP support. It is technically impossible to compile SCTP into OpenSSL with the libraries available in either 5 or 6 distro releases. Yet, we offer it to everyone.
    Last edited by TECK; Sat 19th May '12, 8:49pm.

    Leave a comment:


  • Maurd
    replied
    Originally posted by TECK View Post
    And DDoS also, LOL. I see that some of their servers software is getting updated... Better late than never. Google are clean, though... on top of that they use EC.
    Yup.

    BTW, thank you for posting this. I like little tools like those. https://www.ssllabs.com/ssltest/anal...hideResults=on

    Leave a comment:


  • Paul M
    replied
    We have an uncommon SSL set-up here (which is why vB has problems with it). The SSL requests dont actually terminate on the server.

    Leave a comment:


  • TECK
    replied
    Thanks Wayne, much appreciated.
    We use the same setup present on Google secure servers. The Axivo score is a little better because we enabled support for TLS 1.1/1.2 and added few extra ciphers.

    For those not familiar with BEAST, this is how easy it is to gain control over your Paypal account:



    The video was made by 2 security experts, in order to make the technical audience react to the dangers of insecure SSL setups in both client and server sides.
    Last edited by TECK; Sat 19th May '12, 8:48pm.

    Leave a comment:


  • Wayne Luke
    replied
    I'll bring these up at the weekly support meeting but we don't have complete control over our servers. They are managed and maintained by Internet Brand's Networking and Unix departments.

    Leave a comment:


  • TECK
    replied
    Originally posted by Maurd View Post
    Same goes for BEAST since apparently even PayPal is "vulnerable" to it.
    And DDoS also, LOL. I see that some of their servers software is getting updated... Better late than never. Google are clean, though... on top of that they use EC.

    Leave a comment:


  • Maurd
    replied
    I haven't used Opera in some time, but I recall it complaining about this server's lack of the renegotiation extension and due to that, assuming the software may be "old and insecure".

    Doesn't hold much water IMO. Same goes for BEAST since apparently even PayPal is "vulnerable" to it.

    Leave a comment:


  • Alfa1
    replied
    Originally posted by AdrianH View Post
    Indeed the Security/Anti fraud system within Opera states that this site is insecure and not to use it to transmit sensitive information.
    That just means that content is loaded from both http as https. Nothing more.

    Leave a comment:


  • AdrianH
    replied
    Indeed the Security/Anti fraud system within Opera states that this site is insecure and not to use it to transmit sensitive information.

    Leave a comment:


  • TECK
    started a topic Time to improve the site security?

    Time to improve the site security?

    Hi,

    A quick check on SSL Labs shows that vBulletin.com is currently vulnerable to Beast, DDoS and MITM attacks. To protect the site identity, I've ran the statistics in hidden mode.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X