I would sooner burn the entire PSF infra than compromise our key integrity (if you are worried about government intrusions). Every person that has ever had access to our key material I trust personally (the list is quite small). Given that, PFS doesn't buy us a whole lot unless someone was able to steal the private key(s) without our knowledge and while every step I can think has been taken to prevent this, I can never fully rule it out. That said, now that Fastly handles the vast bulk of SSL terminations, we can probably look at this without risk of overloading the servers :-) (corollary, Fastly doesn't offer ECC for exactly the same reasons we aren't, nor would I expect this to change in the near future)
--Noah On Sep 6, 2013, at 11:39 PM, Gregory P. Smith wrote: > Any chance we could change the default preferred ciphers? > > currently sslscan shows (complete with a misspelling): > > Prefered Server Cipher(s): > SSLv3 128 bits RC4-SHA > TLSv1 128 bits RC4-SHA > > for wiki.python.org et al? > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to do > for the web. > > ie it'd be great to see: > > Prefered Server Cipher(s): > SSLv3 128 bits ECDHE-RSA-RC4-SHA > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > -gps > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <m...@egenix.com> wrote: > On 04.09.2013 22:26, M.-A. Lemburg wrote: > > On 04.09.2013 22:16, M.-A. Lemburg wrote: > >> On 03.09.2013 16:49, M.-A. Lemburg wrote: > >>> Since the HTTPS redirect are now mostly working (there are still some > >>> details to be worked out), I've removed the wiki banners about the > >>> attack and instead added a section to the front pages of the Python > >>> and Jython wikis. > >>> > >>> It's a good idea to change the passwords on the wikis now, since > >>> clear text passwords are just too easy to sniff at conferences. > >> > >> Update: The HTTPS config changes have now been put in place and > >> > >> HSTS is now also enabled for the wikis: > >> > >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > >> > >> (allowing redirects to happen on the client side, if the browser > >> supports HSTS) > > > > I've submitted an HSTS preload list entry request to Google for > > inclusion in their list: > > > > https://sites.google.com/a/chromium.org/dev/sts > > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > > > > Firefox bases its list on Google's, so hopefully wiki.python.org > > will end up there as well in a few weeks: > > > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > > This is added now: > > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > > It'll appear in Chrome after the usual product development > cycles. Not sure how often Mozilla updates their list. > > Donald: You might want to add pypi.python.org to the HSTS > list as well. > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Sep 05 2013) > >>> Python Projects, Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 > 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go > 2013-09-28: PyDDF Sprint ... 23 days to go > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > ________________________________________________ > Infrastructure mailing list > infrastruct...@python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org > > ________________________________________________ > Infrastructure mailing list > infrastruct...@python.org > https://mail.python.org/mailman/listinfo/infrastructure > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www
