On 8 December 2015 at 19:26, Anthony J. Bentley <anth...@anjbe.name> wrote: > Giancarlo Razzolini writes: >> One of the main benefits of the TLS wouldn't only be to render >> impossible for anyone to know which pages you're accessing on the site, >> but also the fact that we would get a little more security getting the >> SSH fingerprints for the anoncvs servers. Having them in clear text as >> they are today, isn't very secure. > > Another attack currently possible against www.openbsd.org is changing > the https://openbsdstore.com links to http://openbsdstore.com, and > running sslstrip on that. Or the PayPal links...
For real! And yet another attack currently possible against www.openbsd.org is being able to view the web-site from any OpenBSD release, even the early ones that did include lynx in base (http://mdoc.su/OpenBSD-2.3/lynx.1), yet are surely missing not only TLSv1.2 (if not OpenSSL in the first place!), but the requisite CA entries in their corresponding cert.pem file as well (that is, if such file was even present). And if you're in Kazakhstan, it's also possible to view www.openbsd.org without any issues or security warnings, and will continue being so even after 2016-01-01 when the new telecommunication directive takes force. (Or was the feature to ignore invalid certificates already added to lynx nowadays?) And another one is a global web-site defacing if the certificate signing request infrastructure, with a client that is designed to run on your web-server with the web-server privileges by LetsEncrypt, and must execute at least once every 3 months (if not more often, as their plan is to decrease cert validity to be even shorter than 3 months) turns out to contain an exploitable vulnerability. Wait, that's one not possible! (At least not yet!) C.
