OpenSSL and GNUTLS are insecure by default on Slackware64 14.2
Hi,
Both the OpenSSL and GNUTLS packages in Slackware use insecure ciphers by default. While I agree that you are far more likely to have the endpoint compromised than have ciphers broken it's still annoying none the less. If you are using Slackware as a desktop you check both yourself here: https://www.howsmyssl.com/ or https://www.ssllabs.com/ssltest/viewMyClient.html GNUTLS supports 3DES whose entire cipherspace can be mapped and OpenSSL supports RC4 (which is considered broken these days). SSLv2 and SSLv3 support should be disabled by default on Slackware for it to be secure. For now I can solve this myself by recompiling OpenSSL and GNUTLS but newer users might be expecting the default installation to be secure. This is primarily a desktop problem as servers (apache, nginx) normally have options to configure which ciphers to support. The disadvange here is that it will break things e.g. servers that need support for older devices that don't support modern ciphers. Anyway just my two cents. Matt |
Quote:
Anyway, I am using firefox set to be not vulnerable (for long time now). You can do this with other browsers as well I assume. |
Quote:
|
Quote:
https://imgur.com/a/aLszr the supported protocols are in order of preference, first the more secure ones are tried and the less secure after: this way you can also navigate on site that support older protocols. |
Quote:
security.ssl3.rsa_des_ede3_sha if you don't use it |
Quote:
for sites that need security (personal data, e-shopping, banking and so on) I'll check if the algorithm is ok (clicking on the lock, then the right arrow near "secure connection" and then on "more information"). |
Beautiful,
I accept perfectly that the user is responsible for their own security and expecting anybody else to be is stupid. Yes my browser may suck because it doesn't have the options to change ciphers (I would be of the opinion that isn't the browsers job but anyway). But there are plenty of tools (less configurable than a browser like firefox) you might use that don't have options such as wget (the ciphers option here doesn't improve things) or your email client (not including Thunderbird) or perhaps you fancy listing the cipher you want with curl. Me being somewhat lazy would rather have the configuration centralized so I don't have to check each individual thing. As for order of preference with ciphers, I am fairly certain an attacker will simply force your browser to use the least secure available during the initial negotiation. I am aware of the option security.ssl3.rsa_des_ede3_sha but as alway pointed out not all tools are as configurable as Firefox. You have all clearly been a lot longer than I have and for the most part agree with you. Regards, Matt |
Quote:
Quote:
imagine a standard user that can't access sites without even knowing why. Quote:
Code:
curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }' |
Quote:
After the POODLE attacks became a thing mozilla set security.tls.version.min;1 by default, preventing the use of SSL3 or lower. If someone still requires to use SSL3 for something they may need to re-enable it and then perhaps it might be prudent to fine-tune which ciphers it supports, but for those of us who don't have any specific requirements and just want to be secure firefox already does the right thing with regard to TLS/SSL. |
All times are GMT -5. The time now is 09:35 PM. |