[opensuse-web] SSL Features for Forums, Wikis, and Blogs
I have recently implemented several new security features for the openSUSE forums, wikis, and blogs hosted in Provo: - TLS 1.2 is supported. On the client side, this version of TLS is supported by the latest version of IE and some mobile devices. For clients that do not support TLS 1.2, the server still prefers RC4 cipher suites as a mitigation to the BEAST exploit. - HTTP Strict Transport Security (HSTS) is set for 5 minutes on secure sessions. For supported clients, this prevents click through of SSL warnings and downgrade of secure sessions. - Authenticated users will have the "secure" flag set on their session cookie and will be automatically redirected to the encrypted version of the site. This prevents session sidejacking, popularized a few years ago by Firesheep. The biggest issues that people may see are "insecure content warnings" on some pages that embed non-secure resources. We are trying to identify and fix those issues where possible. If you notice any other significant problems, please reply to this thread or send a message to admin@opensuse.org. Thank you, Matt
Matthew Ehle wrote:
I have recently implemented several new security features for the openSUSE forums, wikis, and blogs hosted in Provo: - TLS 1.2 is supported. On the client side, this version of TLS is supported by the latest version of IE and some mobile devices. For clients that do not support TLS 1.2, the server still prefers RC4 cipher suites as a mitigation to the BEAST exploit. - HTTP Strict Transport Security (HSTS) is set for 5 minutes on secure sessions. For supported clients, this prevents click through of SSL warnings and downgrade of secure sessions.
Very cool, thanks for adding all those features! The HSTS age should be at least in the order of magnitude of months though. It's purpose is to tell the browser to enforce https if the user visits a page again. That interval should be higher than the average holiday length I guess :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
>>>> Ludwig Nussel <ludwig.nussel@suse.de> 11/27/2012 2:37 AM >>> >Matthew Ehle wrote: >> I have recently implemented several new security features for the openSUSE >> forums, wikis, and blogs hosted in Provo: >> - TLS 1.2 is supported. On the client side, this version of TLS is supported by >> the latest version of IE and some mobile devices. For clients that do not >> support TLS 1.2, the server still prefers RC4 cipher suites as a mitigation to >> the BEAST exploit. >> - HTTP Strict Transport Security (HSTS) is set for 5 minutes on secure >> sessions. For supported clients, this prevents click through of SSL warnings >> and downgrade of secure sessions. > >Very cool, thanks for adding all those features! The HSTS age should be >at least in the order of magnitude of months though. It's purpose is to >tell the browser to enforce https if the user visits a page again. That >interval should be higher than the average holiday length I guess :-) You brought up a good point. The reason that the age is 5 minutes right now is so that if we have any SSL related issues, we can turn it off and let the clients downgrade relatively quickly. When we are sure that it's working well, I'll turn that max age up. Since only authenticated users need to use HTTPS, I'm thinking that I'll probably set it for as long as the session is valid (~8 hours). That way, if they come back the next day as a public user, we aren't forcing them to SSL for no reason. I should mention that this header is sent on every HTTPS response, so the max age is reset every time you request a page. -Matt
participants (2)
-
Ludwig Nussel -
Matthew Ehle