I have recently implemented several new security features for the openSUSE forums, wikis, and blogs hosted in Provo:
- TLS 1.2 is supported. On the client side, this version of TLS is supported by the latest version of IE and some mobile devices. For clients that do not support TLS 1.2, the server still prefers RC4 cipher suites as a mitigation to the BEAST exploit.
- HTTP Strict Transport Security (HSTS) is set for 5 minutes on secure sessions. For supported clients, this prevents click through of SSL warnings and downgrade of secure sessions.
- Authenticated users will have the "secure" flag set on their session cookie and will be automatically redirected to the encrypted version of the site. This prevents session sidejacking, popularized a few years ago by Firesheep.
The biggest issues that people may see are "insecure content warnings" on some pages that embed non-secure resources. We are trying to identify and fix those issues where possible. If you notice any other significant problems, please reply to this thread or send a message to admin(a)opensuse.org.
Thank you,
Matt