Hmm, according to SSLLabs, DHE is not used by browsers for wiki.python.org:
https://www.ssllabs.com/ssltest/analyze.html?d=wiki.python.org Note that ECs are not widely supported, so using those is not such a good idea. Moving away from the ancient RC4 is, though, esp. if TLS 1.2 is available: https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what TLS_DHE_RSA_WITH_AES_256_CBC_SHA would be better as default first choice for SSL. Not sure whether this is worth fixing for the public wikis, but once we're starting to host things like e-voting on the OSL infra structure, this may become more important. Background info: DHE causes the session key to be negotiated between server and client without actually sending key data over the wire. As a result, getting at the session key by looking at a recorded SSL session is really hard, even if you know the server's private key. Without DHE, it is easily possible to recreate the session key, provided you know the server's private key and have a recording for the SSL handshake. That's where the term "forward secrecy" comes from - future loss of a private key doesn't result in all recorded SSL sessions to suddenly become easily decipherable. On 07.09.2013 08:39, Gregory P. Smith wrote: > Any chance we could change the default preferred ciphers? > > currently sslscan shows (complete with a misspelling): > > Prefered Server Cipher(s): > SSLv3 128 bits RC4-SHA > TLSv1 128 bits RC4-SHA > > for wiki.python.org et al? > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing to > do for the web. > > ie it'd be great to see: > > Prefered Server Cipher(s): > SSLv3 128 bits ECDHE-RSA-RC4-SHA > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > -gps > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <m...@egenix.com> wrote: > >> On 04.09.2013 22:26, M.-A. Lemburg wrote: >>> On 04.09.2013 22:16, M.-A. Lemburg wrote: >>>> On 03.09.2013 16:49, M.-A. Lemburg wrote: >>>>> Since the HTTPS redirect are now mostly working (there are still some >>>>> details to be worked out), I've removed the wiki banners about the >>>>> attack and instead added a section to the front pages of the Python >>>>> and Jython wikis. >>>>> >>>>> It's a good idea to change the passwords on the wikis now, since >>>>> clear text passwords are just too easy to sniff at conferences. >>>> >>>> Update: The HTTPS config changes have now been put in place and >>>> >>>> HSTS is now also enabled for the wikis: >>>> >>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >>>> >>>> (allowing redirects to happen on the client side, if the browser >>>> supports HSTS) >>> >>> I've submitted an HSTS preload list entry request to Google for >>> inclusion in their list: >>> >>> https://sites.google.com/a/chromium.org/dev/sts >>> >> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json >>> >>> Firefox bases its list on Google's, so hopefully wiki.python.org >>> will end up there as well in a few weeks: >>> >>> http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ >>> https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List >> >> This is added now: >> >> http://src.chromium.org/viewvc/chrome?revision=221431&view=revision >> >> It'll appear in Chrome after the usual product development >> cycles. Not sure how often Mozilla updates their list. >> >> Donald: You might want to add pypi.python.org to the HSTS >> list as well. >> >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source (#1, Sep 05 2013) >>>>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >> ________________________________________________________________________ >> 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 >> 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go >> 2013-09-28: PyDDF Sprint ... 23 days to go >> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >> Registered at Amtsgericht Duesseldorf: HRB 46611 >> http://www.egenix.com/company/contact/ >> ________________________________________________ >> Infrastructure mailing list >> infrastruct...@python.org >> https://mail.python.org/mailman/listinfo/infrastructure >> Unsubscribe: >> https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org >> > _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www