Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
[opensuse] Re: opensuse sites *appear* not to be following recommended TLS settings.
Andrew Colvin wrote:
TLS1.0 and 1.1 are depricated
---
1) Where do you see that TLS1.1 is deprecated? I see
that for TLS1l.0 but not 1.1. Nevertheless, TLS1.2 is available.

and most websites have them turned off for
security reasons the same as SSL version. The old browser may also not be ale to negotiate with the SHA2 certs as SHA1 is also past it life and most browsers and sites no longer support so if your browser cannot handle SHA2 then you will not connect. Aditionally you may have old cipher support only and many of these are disabled on the servers for the health of the server.
---
Those are all fine and good if they were true. But no other sites that I have found have problems with my security
ciphers or hashes. Of *KEY* importance here is that one of the
main reasons for moving sites to "https", was the insistence of
Google for "https everywhere". One would think that one or many
of their sites would fail in the same way if my browser didn't support
new enough algorithms. The fact that they don't -- and it is google
that is pushing for this security, AND the fact that other sites
like my bank, credit-card, private-health and commerce sites don't
have a problem with my browser. If they thought it was a security
risk, wouldn't they be among the first to implement changes?

This is why I leaning toward believing that it is something
specifically wrong with how suse & opensuse have upgraded their website security.

All things to check out

More to the point -- if I did try to fix something specifically
to make suse work, there is the distinct possibility that I might
break other websites -- whereas now suse is the only one with a problem. In debugging problems, you look at "what changed" and
if the problem can be reproduced elsewhere. We know that several of
the [open]suse.[org|com] websites had https-security changes and
that it has affected other people than just me.

Also, I'm unable to reproduce it with the same browser on
other sites. That would point to the problem being with the
recent https changes made by suse/opensuse admins.



--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups