[pydotorg-www] [Infrastructure] Removed wiki attack banners

Gregory P. Smith greg at krypto.org
Sat Sep 7 08:39:23 CEST 2013 

Any chance we could change the default preferred ciphers?

currently sslscan shows (complete with a misspelling):

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-SHA
    TLSv1  128 bits  RC4-SHA

for wiki.python.org et al?

Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to
do for the web.

ie it'd be great to see:

  Prefered Server Cipher(s):
    SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    TLSv1  128 bits  ECDHE-RSA-RC4-SHA

http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

-gps



On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <mal at egenix.com> wrote:

> On 04.09.2013 22:26, M.-A. Lemburg wrote:
> > On 04.09.2013 22:16, M.-A. Lemburg wrote:
> >> On 03.09.2013 16:49, M.-A. Lemburg wrote:
> >>> Since the HTTPS redirect are now mostly working (there are still some
> >>> details to be worked out), I've removed the wiki banners about the
> >>> attack and instead added a section to the front pages of the Python
> >>> and Jython wikis.
> >>>
> >>> It's a good idea to change the passwords on the wikis now, since
> >>> clear text passwords are just too easy to sniff at conferences.
> >>
> >> Update: The HTTPS config changes have now been put in place and
> >>
> >> HSTS is now also enabled for the wikis:
> >>
> >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> >>
> >> (allowing redirects to happen on the client side, if the browser
> >> supports HSTS)
> >
> > I've submitted an HSTS preload list entry request to Google for
> > inclusion in their list:
> >
> > https://sites.google.com/a/chromium.org/dev/sts
> >
> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
> >
> > Firefox bases its list on Google's, so hopefully wiki.python.org
> > will end up there as well in a few weeks:
> >
> > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
> > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
>
> This is added now:
>
> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
>
> It'll appear in Chrome after the usual product development
> cycles. Not sure how often Mozilla updates their list.
>
> Donald: You might want to add pypi.python.org to the HSTS
> list as well.
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source  (#1, Sep 05 2013)
> >>> Python Projects, Consulting and Support ...   http://www.egenix.com/
> >>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ...  http://egenix.com/go48
> 2013-09-20: PyCon UK 2013, Coventry, UK ...                15 days to go
> 2013-09-28: PyDDF Sprint ...                               23 days to go
>
>    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>            Registered at Amtsgericht Duesseldorf: HRB 46611
>                http://www.egenix.com/company/contact/
> ________________________________________________
> Infrastructure mailing list
> Infrastructure at python.org
> https://mail.python.org/mailman/listinfo/infrastructure
> Unsubscribe:
> https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130906/f8b8e228/attachment.html>

More information about the pydotorg-www mailing list