On Fri, May 15, 2015, at 03:07, Ian Smith wrote:> On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
> > Hello
> >
> > >> But I don't think disable TLS 1.0 is ok.
> > >>
> > >
> > > TLS 1.0 is dead and is even now banned in new installations
according to
> > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be
supported
> > > by *any* HTTPS site now.
> >
> > Maybe is dead but is used in many old browser / software still used.
> >
> > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016.
> > (new installations "in theory" should not be built on TLS
1.0).
> >
> > So we have 1 year and FreeBSD forum is not e-commerce site ;)
>
> People seem determined to make sure freebsd forums are one of the first
> sites to ban TLS 1.0, as some sort of best-practice example.
>
> I admit my knowledge of TLS issues is scant. I'd like to know whether
> allowing TLS 1.0 - with fallback from later levels denied, as it already
> is - endangers the server, or only the client? If there's a clearly
> stated and immediate danger to the forum server, I can accept that, but
> I'd have thought https://www and svnweb would be more at such peril?
> Will there be any notice before they're denied TLS 1.0 access also?
>
The danger is decryption. Your username/password could be stolen if
someone captures your traffic after successfully initiating a downgrade
attack.
You can't login to www.freebsd.org or svnweb. The most they can do is
see what you're browsing, which isn't private anyway.
> If it's just for making the sort of point that Mark is advocating, to
> force people to join this 'rolling automatic update' model so
beloved of
> Microsoft and their captive hardware vendors, then I think doing that,
> without any sort of prior notice, is rather less than I've come to
> expect from the FreeBSD project over 17 years.
>
> But I'm a grandpa too; guess I have old-fashioned expectations :)
>
Microsoft has nothing to do with this. They're setting a good example.
OSX is sort-of on that train too. FreeBSD has always been ahead of the
curve with the ports tree being a rolling-release model. We need the
Linux distros to get their heads on straight now, too.
Just a reminder: I don't speak for the project in these matters. I'm
just telling you what best current practices are. I have no idea who
made that decision for the forums, or if it's even worth having the
forums on https anyway. If it was up to me I probably wouldn't even put
https on the forums even though Google will penalize it in search
results. (Sure, you have a user account there... but it doesn't really
do anything... you're not using the same credentials everywhere are
you?)
Actually, that might be the reason -- Google search results. Perhaps
Google is also logging what protocols/ciphers your HTTPS has and is
using that in search rankings.