[pydotorg-www] [Infrastructure] Removed wiki attack banners

Noah Kantrowitz noah at coderanger.net
Sat Sep 7 09:01:37 CEST 2013


I would sooner burn the entire PSF infra than compromise our key integrity (if you are worried about government intrusions). Every person that has ever had access to our key material I trust personally (the list is quite small). Given that, PFS doesn't buy us a whole lot unless someone was able to steal the private key(s) without our knowledge and while every step I can think has been taken to prevent this, I can never fully rule it out. That said, now that Fastly handles the vast bulk of SSL terminations, we can probably look at this without risk of overloading the servers :-) (corollary, Fastly doesn't offer ECC for exactly the same reasons we aren't, nor would I expect this to change in the near future)

--Noah

On Sep 6, 2013, at 11:39 PM, Gregory P. Smith wrote:

> Any chance we could change the default preferred ciphers?
> 
> currently sslscan shows (complete with a misspelling):
> 
>   Prefered Server Cipher(s):
>     SSLv3  128 bits  RC4-SHA
>     TLSv1  128 bits  RC4-SHA
> 
> for wiki.python.org et al?
> 
> Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to do for the web.
> 
> ie it'd be great to see:
> 
>   Prefered Server Cipher(s):
>     SSLv3  128 bits  ECDHE-RSA-RC4-SHA
>     TLSv1  128 bits  ECDHE-RSA-RC4-SHA
> 
> http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
> 
> -gps
> 
> 
> 
> On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 04.09.2013 22:26, M.-A. Lemburg wrote:
> > On 04.09.2013 22:16, M.-A. Lemburg wrote:
> >> On 03.09.2013 16:49, M.-A. Lemburg wrote:
> >>> Since the HTTPS redirect are now mostly working (there are still some
> >>> details to be worked out), I've removed the wiki banners about the
> >>> attack and instead added a section to the front pages of the Python
> >>> and Jython wikis.
> >>>
> >>> It's a good idea to change the passwords on the wikis now, since
> >>> clear text passwords are just too easy to sniff at conferences.
> >>
> >> Update: The HTTPS config changes have now been put in place and
> >>
> >> HSTS is now also enabled for the wikis:
> >>
> >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> >>
> >> (allowing redirects to happen on the client side, if the browser
> >> supports HSTS)
> >
> > I've submitted an HSTS preload list entry request to Google for
> > inclusion in their list:
> >
> > https://sites.google.com/a/chromium.org/dev/sts
> > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
> >
> > Firefox bases its list on Google's, so hopefully wiki.python.org
> > will end up there as well in a few weeks:
> >
> > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
> > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
> 
> This is added now:
> 
> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
> 
> It'll appear in Chrome after the usual product development
> cycles. Not sure how often Mozilla updates their list.
> 
> Donald: You might want to add pypi.python.org to the HSTS
> list as well.
> 
> --
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Source  (#1, Sep 05 2013)
> >>> Python Projects, Consulting and Support ...   http://www.egenix.com/
> >>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ...  http://egenix.com/go48
> 2013-09-20: PyCon UK 2013, Coventry, UK ...                15 days to go
> 2013-09-28: PyDDF Sprint ...                               23 days to go
> 
>    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>            Registered at Amtsgericht Duesseldorf: HRB 46611
>                http://www.egenix.com/company/contact/
> ________________________________________________
> Infrastructure mailing list
> Infrastructure at python.org
> https://mail.python.org/mailman/listinfo/infrastructure
> Unsubscribe: https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org
> 
> ________________________________________________
> Infrastructure mailing list
> Infrastructure at python.org
> https://mail.python.org/mailman/listinfo/infrastructure
> Unsubscribe: https://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130907/d688d1a2/attachment.sig>


More information about the pydotorg-www mailing list