On Sat, Sep 7, 2013 at 12:01 AM, Noah Kantrowitz <n...@coderanger.net>wrote:
> I would sooner burn the entire PSF infra than compromise our key integrity > (if you are worried about government intrusions). Every person that has > ever had access to our key material I trust personally (the list is quite > small). Given that, PFS doesn't buy us a whole lot unless someone was able > to steal the private key(s) without our knowledge and while every step I > can think has been taken to prevent this, I can never fully rule it out. > That said, now that Fastly handles the vast bulk of SSL terminations, we > can probably look at this without risk of overloading the servers :-) > (corollary, Fastly doesn't offer ECC for exactly the same reasons we > aren't, nor would I expect this to change in the near future) > I'm not worried about anything. I was just wondering if we could follow the best practices on the web to set a good example. But since I'm not doing the work I'll just shutup. :) > > --Noah > > On Sep 6, 2013, at 11:39 PM, Gregory P. Smith wrote: > > > Any chance we could change the default preferred ciphers? > > > > currently sslscan shows (complete with a misspelling): > > > > Prefered Server Cipher(s): > > SSLv3 128 bits RC4-SHA > > TLSv1 128 bits RC4-SHA > > > > for wiki.python.org et al? > > > > Defaulting to ECDHE (for perfect forward secrecy) seem the right thing > to do for the web. > > > > ie it'd be great to see: > > > > Prefered Server Cipher(s): > > SSLv3 128 bits ECDHE-RSA-RC4-SHA > > TLSv1 128 bits ECDHE-RSA-RC4-SHA > > > > http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html > > > > -gps > > > > > > > > On Thu, Sep 5, 2013 at 9:06 AM, M.-A. Lemburg <m...@egenix.com> wrote: > > On 04.09.2013 22:26, M.-A. Lemburg wrote: > > > On 04.09.2013 22:16, M.-A. Lemburg wrote: > > >> On 03.09.2013 16:49, M.-A. Lemburg wrote: > > >>> Since the HTTPS redirect are now mostly working (there are still some > > >>> details to be worked out), I've removed the wiki banners about the > > >>> attack and instead added a section to the front pages of the Python > > >>> and Jython wikis. > > >>> > > >>> It's a good idea to change the passwords on the wikis now, since > > >>> clear text passwords are just too easy to sniff at conferences. > > >> > > >> Update: The HTTPS config changes have now been put in place and > > >> > > >> HSTS is now also enabled for the wikis: > > >> > > >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > > >> > > >> (allowing redirects to happen on the client side, if the browser > > >> supports HSTS) > > > > > > I've submitted an HSTS preload list entry request to Google for > > > inclusion in their list: > > > > > > https://sites.google.com/a/chromium.org/dev/sts > > > > https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > > > > > > Firefox bases its list on Google's, so hopefully wiki.python.org > > > will end up there as well in a few weeks: > > > > > > http://blog.mozilla.org/security/2012/11/01/preloading-hsts/ > > > https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List > > > > This is added now: > > > > http://src.chromium.org/viewvc/chrome?revision=221431&view=revision > > > > It'll appear in Chrome after the usual product development > > cycles. Not sure how often Mozilla updates their list. > > > > Donald: You might want to add pypi.python.org to the HSTS > > list as well. > > > > -- > > Marc-Andre Lemburg > > eGenix.com > > > > Professional Python Services directly from the Source (#1, Sep 05 2013) > > >>> Python Projects, Consulting and Support ... http://www.egenix.com/ > > >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ > > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > > ________________________________________________________________________ > > 2013-09-04: Released eGenix pyOpenSSL 0.13.2 ... http://egenix.com/go48 > > 2013-09-20: PyCon UK 2013, Coventry, UK ... 15 days to go > > 2013-09-28: PyDDF Sprint ... 23 days to go > > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > > Registered at Amtsgericht Duesseldorf: HRB 46611 > > http://www.egenix.com/company/contact/ > > ________________________________________________ > > Infrastructure mailing list > > infrastruct...@python.org > > https://mail.python.org/mailman/listinfo/infrastructure > > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/greg%40krypto.org > > > > ________________________________________________ > > Infrastructure mailing list > > infrastruct...@python.org > > https://mail.python.org/mailman/listinfo/infrastructure > > Unsubscribe: > https://mail.python.org/mailman/options/infrastructure/noah%40coderanger.net > >
_______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www