Announcement

Collapse
No announcement yet.

SSL/TLS now enabled across all of Kubuntu Forums

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    SSL/TLS now enabled across all of Kubuntu Forums

    You may notice a little bit of green scattered about the forum today...





    Eavesdroppers are generally interested in what people are doing right now. They acquire their information by observing traffic in flight and making correlations. We can reduce the amount of "signal" on the Internet by carrying all our over-the-wire traffic in HTTPS and thus providing a degree of protection for our users.

    HTTPS is now the default (and only) access method for KFN. Crucially, this protects your login credentials. It also encrypts all traffic between your browser and our instance, and authenticates that you are communicating with a host in the kubuntuforums.net domain. It will not affect search engine discovery or ranking at all; you may continue to use $FAVORITE-SEARCH-ENGINE to locate information on KFN. I have configured Apache on our Linode instance to permanently redirect all HTTP requests to HTTPS, which helps prevent link breakage.

    Details for the curious: TLS 1.0, 2048-bit RSA public/private keys, AES 128-bit CBC session keys. The certificate is issued from GoDaddy, who is also the registrar for our domain.

    Those of you who access the forum via Tapatalk will note that it currently isn't working. This will be fixed very shortly.
    Last edited by SteveRiley; Dec 24, 2013, 02:16 PM.

    #2
    Tapatalk is now working again. Forum URLs are not immediately cleared in the app, but will refresh themselves in 12 to 24 hours. Alternately, you can use your phone's or tablet's application settings menu to clear all Tapatalk data. You will then need to re-add each forum you visit with Tapatalk. Unfortunately, removing and re-adding a single forum doesn't appear to clear that forum's cache on your device.

    Comment


      #3
      Update, for those who are interested.

      I have configured OpenSSL's cipher suite on our server to prefer perfect forward secrecy via ephemeral Diffie-Hellman key exchange when generating the session key. I've also limited the suite to using 128-bit session keys. 256 bit session keys are computationally much more expensive, offer no benefit, and are known to be vulnerable to certain unusual timing attacks.

      I have disabled 3DES and RC4 completely. A side effect of this is that Windows XP computers using any version of Internet Explorer will no longer be able to visit KFN. I doubt this will be a problem for us

      Comment

      Working...
      X