View Issue Details

IDProjectCategoryView StatusLast Update
0001262Main CAcert Websitemiscpublic2015-01-25 20:52
ReportersysfuAssigned Towytze 
PrioritynormalSeverityminorReproducibilityalways
Status solved?Resolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Product Version2014 Q1 
Target Version2014 Q2Fixed in Version2014 Q4 
Summary0001262: SslLabs B rating (if trust issues are ignored) for cacert.org SSL/TLS setup
DescriptionThis issue has been partially address by https://bugs.cacert.org/view.php?id=1241 , but there is still more work to do. Here's a link to the report https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org

Outside of the chain of trust, these issues remain

* No TLS 1.2 support
* No Strict Transport Security (HSTS) support
* server does not support Forward Secrecy with the reference browsers
* BEAST attack not mitigated server-side
Steps To ReproduceVisit https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001241 needs feedbackwytze cacert.org SSL/TLS configuration is bad on many levels 
parent of 0001260 needs workBenBE Make the source compatible with recent PHP versions 
Not all the children of this issue are yet resolved or closed.

Activities

BenBE

2014-04-06 07:15

updater   ~0004694

The issues with missing TLS 1.2 support are known, but require a system upgrade currently blocked by bug 1260. Furthermore PFS is missing for simular reasons.

HSTS can be done and if no objections are received I can forward this to critical as this mainly is one header to deploy (but still requires some testing regarding the session handling).

Regarding the BEAST attack: If you want to support old browsers you can either choose to mitigate using RC4 or be vulnerable to BEAST. Given that RC4 is broken while BEAST requires much more effort and an active attack (together with some other vulnerabilities server-side) it's better to be vulnerable to BEAST than touch RC4.

But what could be done is deploying Content Security Policies which only adds as little as a header, but limits an attacker quite nicely.

MartinGummi

2014-04-14 18:23

updater   ~0004716

fix broken link

wytze

2014-10-18 10:55

developer   ~0005058

After upgrading the CAcert chroot application environment to Debian Wheezy on October 17, 2014 (see https://lists.cacert.org/wws/arc/cacert-systemlog/2014-10/msg00007.html), the SSL support has come more or less up-to-date. Rating is back up to A, aside from trust issues. Please check https://bugs.cacert.org/view.php?id=1241 for details.

wytze

2014-12-01 15:44

developer   ~0005141

On 1 December 2014, SSL3 and 3DES support has been disabled on the CAcert webserver, while at the same time HSTS has been enabled. For details please check: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html

Together with the previous enhancements, this addresses all issues mentioned by the reporter of this bug, with the exception of the lack of server-side mitigation for the BEAST attack.

Server-side mitigation for BEAST would require us to turn RC4 support on, which brings more serious vulnerability problems with it. With BEAST being a pure client-side vulnerability, and most browsers having incorporated now sufficient protections against it, we believe that server-side mitigation for BEAST is no longer an issue, an opinion which appears to be shared by SSLLabs, who is *not* penalizing our security rating for the lack of it. Please check https://bugs.cacert.org/file_download.php?file_id=393&type=bug for the SSLLabs report for www.cacert.org on 1 December 1 2014.

Issue History

Date Modified Username Field Change
2014-03-28 19:34 sysfu New Issue
2014-04-01 21:37 NEOatNHNG Relationship added related to 0001241
2014-04-06 07:15 BenBE Note Added: 0004694
2014-04-06 07:15 BenBE Status new => needs work
2014-04-06 07:15 BenBE Target Version => 2014 Q2
2014-04-06 07:20 BenBE Relationship added parent of 0001260
2014-04-14 18:23 MartinGummi Note Added: 0004716
2014-04-14 18:23 MartinGummi Description Updated View Revisions
2014-10-18 10:55 wytze Note Added: 0005058
2014-12-01 15:44 wytze Note Added: 0005141
2014-12-01 15:44 wytze Status needs work => solved?
2014-12-01 15:44 wytze Fixed in Version => 2014 Q4
2014-12-01 15:44 wytze Resolution open => fixed
2014-12-01 15:44 wytze Assigned To => wytze