View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001262||Main CAcert Website||misc||public||2014-03-28 19:34||2015-01-25 20:52|
|Platform||Main CAcert Website||OS||N/A||OS Version||stable|
|Product Version||2014 Q1|
|Target Version||2014 Q2||Fixed in Version||2014 Q4|
|Summary||0001262: SslLabs B rating (if trust issues are ignored) for cacert.org SSL/TLS setup|
|Description||This issue has been partially address by https://bugs.cacert.org/view.php?id=1241 , but there is still more work to do. Here's a link to the report https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org|
Outside of the chain of trust, these issues remain
* No TLS 1.2 support
* No Strict Transport Security (HSTS) support
* server does not support Forward Secrecy with the reference browsers
* BEAST attack not mitigated server-side
|Steps To Reproduce||Visit https://www.ssllabs.com/ssltest/analyze.html?d=cacert.org|
|Tags||No tags attached.|
The issues with missing TLS 1.2 support are known, but require a system upgrade currently blocked by bug 1260. Furthermore PFS is missing for simular reasons.
HSTS can be done and if no objections are received I can forward this to critical as this mainly is one header to deploy (but still requires some testing regarding the session handling).
Regarding the BEAST attack: If you want to support old browsers you can either choose to mitigate using RC4 or be vulnerable to BEAST. Given that RC4 is broken while BEAST requires much more effort and an active attack (together with some other vulnerabilities server-side) it's better to be vulnerable to BEAST than touch RC4.
But what could be done is deploying Content Security Policies which only adds as little as a header, but limits an attacker quite nicely.
||fix broken link|
||After upgrading the CAcert chroot application environment to Debian Wheezy on October 17, 2014 (see https://lists.cacert.org/wws/arc/cacert-systemlog/2014-10/msg00007.html), the SSL support has come more or less up-to-date. Rating is back up to A, aside from trust issues. Please check https://bugs.cacert.org/view.php?id=1241 for details.|
On 1 December 2014, SSL3 and 3DES support has been disabled on the CAcert webserver, while at the same time HSTS has been enabled. For details please check: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-12/msg00000.html
Together with the previous enhancements, this addresses all issues mentioned by the reporter of this bug, with the exception of the lack of server-side mitigation for the BEAST attack.
Server-side mitigation for BEAST would require us to turn RC4 support on, which brings more serious vulnerability problems with it. With BEAST being a pure client-side vulnerability, and most browsers having incorporated now sufficient protections against it, we believe that server-side mitigation for BEAST is no longer an issue, an opinion which appears to be shared by SSLLabs, who is *not* penalizing our security rating for the lack of it. Please check https://bugs.cacert.org/file_download.php?file_id=393&type=bug for the SSLLabs report for www.cacert.org on 1 December 1 2014.
|2014-03-28 19:34||sysfu||New Issue|
|2014-04-01 21:37||NEOatNHNG||Relationship added||related to 0001241|
|2014-04-06 07:15||BenBE||Note Added: 0004694|
|2014-04-06 07:15||BenBE||Status||new => needs work|
|2014-04-06 07:15||BenBE||Target Version||=> 2014 Q2|
|2014-04-06 07:20||BenBE||Relationship added||parent of 0001260|
|2014-04-14 18:23||MartinGummi||Note Added: 0004716|
|2014-04-14 18:23||MartinGummi||Description Updated||View Revisions|
|2014-10-18 10:55||wytze||Note Added: 0005058|
|2014-12-01 15:44||wytze||Note Added: 0005141|
|2014-12-01 15:44||wytze||Status||needs work => solved?|
|2014-12-01 15:44||wytze||Fixed in Version||=> 2014 Q4|
|2014-12-01 15:44||wytze||Resolution||open => fixed|
|2014-12-01 15:44||wytze||Assigned To||=> wytze|