[pydotorg-www] [Infrastructure] Removed wiki attack banners

Gregory P. Smith greg at krypto.org
Sat Sep 7 20:18:54 CEST 2013 

On Sat, Sep 7, 2013 at 12:01 AM, Noah Kantrowitz <noah at coderanger.net>wrote:

> I would sooner burn the entire PSF infra than compromise our key integrity
> (if you are worried about government intrusions). Every person that has
> ever had access to our key material I trust personally (the list is quite
> small). Given that, PFS doesn't buy us a whole lot unless someone was able
> to steal the private key(s) without our knowledge and while every step I
> can think has been taken to prevent this, I can never fully rule it out.
> That said, now that Fastly handles the vast bulk of SSL terminations, we
> can probably look at this without risk of overloading the servers :-)
> (corollary, Fastly doesn't offer ECC for exactly the same reasons we
> aren't, nor would I expect this to change in the near future)
>

I'm not worried about anything. I was just wondering if we could follow the
best practices on the web to set a good example. But since I'm not doing
the work I'll just shutup. :)


>
> --Noah
>
> On Sep 6, 2013, at 11:39 PM, Gregory P. Smith wrote:
>
> > Any chance we could change the default preferred ciphers?
> >
> > currently sslscan shows (complete with a misspelling):
> >
> >   Prefered Server Cipher(s):
> >     SSLv3  128 bits  RC4-SHA
> >     TLSv1  128 bits  RC4-SHA
> >
> > for wiki.python.org et al?
> >
> > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing
> to do for the web.
> >
> > ie it'd be great to see:
> >
> >   Prefered Server Cipher(s):
> >     SSLv3  128 bits  ECDHE-RSA-RC4-SHA
> >     TLSv1  128 bits  ECDHE-RSA-RC4-SHA
> >
> > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
> >
> > -gps
> >
> >
> >
> > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> > On 04.09.2013 22:26, M.-A. Lemburg wrote:
> > > On 04.09.2013 22:16, M.-A. Lemburg wrote:
> > >> On 03.09.2013 16:49, M.-A. Lemburg wrote:
> > >>> Since the HTTPS redirect are now mostly working (there are still some
> > >>> details to be worked out), I've removed the wiki banners about the
> > >>> attack and instead added a section to the front pages of the Python
> > >>> and Jython wikis.
> > >>>
> > >>> It's a good idea to change the passwords on the wikis now, since
> > >>> clear text passwords are just too easy to sniff at conferences.
> > >>
> > >> Update: The HTTPS config changes have now been put in place and
> > >>
> > >> HSTS is now also enabled for the wikis:
> > >>
> > >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> > >>
> > >> (allowing redirects to happen on the client side, if the browser
> > >> supports HSTS)
> > >
> > > I've submitted an HSTS preload list entry request to Google for
> > > inclusion in their list:
> > >
> > > https://sites.google.com/a/chromium.org/dev/sts
> > >
> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
> > >
> > > Firefox bases its list on Google's, so hopefully wiki.python.org
> > > will end up there as well in a few weeks:
> > >
> > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/
> > > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
> >
> > This is added now:
> >
> > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision
> >
> > It'll appear in Chrome after the usual product development
> > cycles. Not sure how often Mozilla updates their list.
> >
> > Donald: You might want to add pypi.python.org to the HSTS
> > list as well.
> >
> > --
> > Marc-Andre Lemburg
> > eGenix.com
> >
> > Professional Python Services directly from the Source  (#1, Sep 05 2013)
> > >>> Python Projects, Consulting and Support ...   http://www.egenix.com/
> > >>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
> > >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> > ________________________________________________________________________
> > 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ...  http://egenix.com/go48
> > 2013-09-20: PyCon UK 2013, Coventry, UK ...                15 days to go
> > 2013-09-28: PyDDF Sprint ...                               23 days to go
> >
> >    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
> >     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> >            Registered at Amtsgericht Duesseldorf: HRB 46611
> >                http://www.egenix.com/company/contact/
> > ________________________________________________
> > Infrastructure mailing list
> > Infrastructure at python.org
> > https://mail.python.org/mailman/listinfo/infrastructure
> > Unsubscribe:
> https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org
> >
> > ________________________________________________
> > Infrastructure mailing list
> > Infrastructure at python.org
> > https://mail.python.org/mailman/listinfo/infrastructure
> > Unsubscribe:
> https://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20130907/e6e69bb8/attachment-0001.html>

More information about the pydotorg-www mailing list