• Login
  • Register
  • Dolphin Forums
  • Home
  • FAQ
  • Download
  • Wiki
  • Code

Dolphin, the GameCube and Wii emulator - Forums › Dolphin Site › Site Feedback and Questions v
« Previous 1 ... 5 6 7 8 9 ... 21 Next »

Bad SSLLabs report for dolphin-emu.org
View New Posts | View Today's Posts

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Bad SSLLabs report for dolphin-emu.org
11-04-2013, 02:38 AM
#1
seredlek
Unregistered
 
Hello i routinely scan all https:// pages that i encounter with ssllabs ssl test, and the results for the domain dolphin-emu.org look really shocking.
https://www.ssllabs.com/ssltest/analyze.html?d=dolphin-emu.org

This page uses a lot of weak and insecure ciphers:

Quote: Cipher Suites (sorted by strength; the server has no preference)

SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080) INSECURE 40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) INSECURE 40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040) INSECURE 56
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
SSL_CK_RC4_128_WITH_MD5 (0x10080) INSECURE 128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) INSECURE 168
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256

Instead of TLS 1.2 or 1.1 we have the insecure and redundant SSL2

Quote: Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 Yes
SSL 2 INSECURE Yes



and finally some flaws that allow ddos attacks:

Quote: Protocol Details
Secure Renegotiation
Supported

Secure Client-Initiated Renegotiation
Supported DoS DANGER

Insecure Client-Initated Renegotiation
No

BEAST attack
Not mitigated server-side
SSL 3: 0x9, TLS 1.0: 0x9

TLS compression
Yes INSECURE (more info)

RC4
Yes, but not used by modern browsers

Forward Secrecy
No NOT DESIRABLE (more info)

Next Protocol Negotiation
No

Session resumption
No (IDs assigned but not accepted)

I think all these quoted things make using ssl redundant on this page and should be dealt with asap.
Reply
11-04-2013, 04:49 AM
#2
delroth Offline
Making the world a better place through reverse engineered DSP firmwares
**********
Developers (Some Administrators and Super Moderators)
Posts: 1,356
Threads: 63
Joined: Aug 2011
Feel free to strip the SSL on your side if you think it's redundant.
Pierre "delroth" Bourdon - @delroth_ - Blog

<@neobrain> that looks sophisticated enough to not be a totally dumb thing to do
Website Find
Reply
11-04-2013, 05:01 AM
#3
seredlek
Unregistered
 
Maybe redundant is the wrong word.
The reason for this topic was to highlight the problem and hopefully see a more secure configuration as a result of it.
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf might help
Reply
10-16-2014, 09:06 AM
#4
Oehr Offline
Junior Member
**
Posts: 45
Threads: 4
Joined: Sep 2013
as the mod closed the old thread instead of merging, here is the post again to continue the discussion:

SSL 3.0, RC4, DES, 3DES, MD5 and SHA-1 - Old and busted encryption

https://www.ssllabs.com/ssltest/analyze.html?d=dolphin-emu.org

Obsolete SSL 3.0, without TLS as an alternative, along with the recent announcement of the POODLE attack, the website really needs a HTTPS upgrade:

Please disable SSL 3.0 entirely (to block downgrading from TLS) and add TLS 1.0 through 1.2 instead.

As for ciphers: All ciphers using RC4, DES, 3DES or MD5 (or a combination of those) are also considered broken and obsolete, so I suggest using only secure ciphers (that may also support perfect forward secrecy) whenever possible!

The certificate also needs an upgrade, as its still signed with SHA-1, which is also considered broken. Please do not just sign it again: Generate a new and longer key and sign that with SHA-2 (or SHA-3)

Additional reasons as to why this should be done real soon, aside from the obvious and dangerous security flaw:
1. Recent news (POODLE attack) have made this a much more pressing issue (its basically SSL 3.0's final nail in its coffin)
2. The situation from back when this thread was opened worsened: TLS 1.0 is NOT supported anymore for whatever reason. Only the highly insecure and flawed SSL 3.0 is.*
3. Browsers will probably drop SSL3 support soon or at least be shipped with it disabled.
Find
Reply
10-17-2014, 03:05 AM
#5
Oehr Offline
Junior Member
**
Posts: 45
Threads: 4
Joined: Sep 2013
Seems like the admin(s) already responded: dolphin-emu.org is TLSv1.0 only now!

I hope to see them step towards the future as well, with proper cipher suits and support for TLSv1.2. For that, you need to upgrade from openssl 0.9.8 though. as you are still stuck on that old version, I suspect youre still running debian 6 with apache2.2 as well. neither are up to date.

Here is my compilation of apache settings that will improve security without you updating any software. still: update is highly recommended!
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ALL:-EXP:-RC4:-RC2:-DES:-3DES:-MD5:-NULL
SSLProtocol ALL -SSLv3 -SSLv2


TLS compression is bad. PLEASE DEACTIVATE IT. Security flaw! https://en.wikipedia.org/wiki/CRIME
Find
Reply
« Next Oldest | Next Newest »


  • View a Printable Version
  • Subscribe to this thread
Forum Jump:


Users browsing this thread: 1 Guest(s)


Powered By MyBB | Theme by Fragma

Linear Mode
Threaded Mode