Bitcoin Forum
October 25, 2025, 05:33:27 AM *
News: Latest Bitcoin Core release: 30.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Site's Security Grade: A-  (Read 2455 times)
goozman96 (OP)
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 02, 2014, 07:43:48 AM
 #1

https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org

Discuss?

BTC: 19DKtsdGfQyFzNiEze9KuFQrWGiLDvg6F1 | LTC: LbV6UGyjYbVP49NvQFmuAnkADcaFYvNagK | NMC: NDCdMJmTmGH54Cezmo3CwSxAC7grAoZJbj
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5726
Merit: 14694


View Profile
February 02, 2014, 06:24:22 PM
 #2

Quote
The server does not support Forward Secrecy with the reference browsers.

This is misleading. It should say, "Some of the reference browsers choose not to select a forward-secrecy cipher." The server supports forward secrecy if the client requests it, and in fact most browsers do select a FS cipher. The server also allows non-FS ciphers because, among ciphers supported by older browsers, the non-FS ciphers are stronger.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
February 09, 2014, 12:42:50 AM
Last edit: February 09, 2014, 01:30:05 AM by pekv2
 #3

Quote
The server does not support Forward Secrecy with the reference browsers.

This is misleading. It should say, "Some of the reference browsers choose not to select a forward-secrecy cipher." The server supports forward secrecy if the client requests it, and in fact most browsers do select a FS cipher. The server also allows non-FS ciphers because, among ciphers supported by older browsers, the non-FS ciphers are stronger.

This thread made me investigate my browsers security which was horrible.

I did some digging for mozilla based browsers. FF/PM/WF ect.

My life is pretty much boring, this made it a little bit more exciting to do some security cleanup work internally of my browser, modification of the profile is never ending, even after 3-4 years of modifications :p .

So here it goes.

My Palemoon browser was utilizing 128 bit on bitcointalk.org.

What I did to force it to utilize tls1.2 or tls 1.1 & AES 256-bit RSA 2048-bit:sha1 on bitcointalk.org.

Quote
http://kb.mozillazine.org/Security.tls.version.*

I changed

Code:
security.tls.version.min : 2
security.tls.version.max : 3

from its default setting to to what it is in the code box.

In about:config search security.ssl3 , below, leave as is, and disable the rest.
OP: http://forum.palemoon.org/viewtopic.php?p=21731&sid=a065e58e6b465b89c238c38aa872ccda#p21731

http://forum.palemoon.org/viewtopic.php?p=22512&sid=a065e58e6b465b89c238c38aa872ccda#p22512
Code:
security.ssl3.dhe_dss_aes_256_sha;true
security.ssl3.dhe_dss_camellia_256_sha;true
security.ssl3.dhe_rsa_aes_256_sha;true
security.ssl3.dhe_rsa_camellia_256_sha;true
security.ssl3.ecdh_ecdsa_aes_256_sha;true
security.ssl3.ecdh_rsa_aes_256_sha;true
security.ssl3.ecdhe_ecdsa_aes_256_sha;true
security.ssl3.ecdhe_rsa_aes_256_sha;true
security.ssl3.rsa_aes_256_sha;true
security.ssl3.rsa_camellia_256_sha;true

Going to https://www.howsmyssl.com/ before setting set above, rating was BAD.
After above settings, going to https://www.howsmyssl.com/ , rating went to good "Your client is using TLS 1.2"

This might be outdated, but I did use some stuff inside as references.
http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html

So, even though I just secured my browser, going to https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org still shows A-.

I think the client side "my browser" is as tight as it can get, i think.

Also, I hope I may redeem myself from the past by helping the community and you out by helping them/you securing their/yours mozilla based brower.

So with that. Theymos or anyone else, would you have any recommendations to secure the browsers any more than what they are with above?

Please continue with this subject, and hope above info helps ppl out, I like to help.

Edit:

I had tried

Code:
security.tls.version.min : 3
security.tls.version.max : 3

but certain sites like support.mozilla.org would not load.

Edit2:

Btw, I am using
https://addons.mozilla.org/en-US/firefox/addon/cipherfox/

to see the encryption type.

Edit3:
Ok, I ran into a problem with a certain tls enabled site, I had to drop my security.tls.version.min down to the setting of 1.

So I'm guessing
Code:
security.tls.version.min : 1
security.tls.version.max : 3

is best for security and compatibility.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5726
Merit: 14694


View Profile
February 09, 2014, 01:29:43 AM
 #4

Disabling ciphers may cause some sites to stop working. I'd only disable the very weak ones (if any very weak ones are enabled). Especially since HTTPS authentication is nearly useless anyway.

With TLS, the client sends a list of ciphers and then the server picks one. Sometimes (as with bitcointalk.org), the server picks the first supported cipher listed by the client. You should be able to tell Firefox the order in which to list ciphers, but there's no support for this AFAIK.

For choosing cipher suites:
- GCM is better than CBC.
- (EC)DHE provides forward secrecy. (Forward secrecy means that if someone records the encrypted network traffic, they can't later decrypt the traffic by obtaining a private key from the server.)
- AES is the best encryption algorithm. I wouldn't be surprised if effective attacks against RC4 are known to the NSA. Camellia is not as well-studied as AES, but it is preferred by most browsers for no apparent reason, which makes me suspicious.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
February 09, 2014, 02:03:25 AM
 #5

Very new to me. Interesting much indeed. Makes sense, I disabled all Camellia in about:config, forcing a certain site to now use AES instead of Camellia.

Seems like the standard is
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha

Good to know!

Hopefully whether it helps or not, as I seen u stated "HTTPS authentication is nearly useless anyway", this clears up anybody wondering like myself.

I will give enabled

Code:
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha

a test run for a week or so. Any complications happen, I'll revert.
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
February 11, 2014, 11:39:28 PM
 #6

With TLS, the client sends a list of ciphers and then the server picks one. Sometimes (as with bitcointalk.org), the server picks the first supported cipher listed by the client. You should be able to tell Firefox the order in which to list ciphers, but there's no support for this AFAIK.

Does this help at all? I don't quite follow as what Moonchild has done, but seems to me it might be related to above quoted in bold.

http://forum.palemoon.org/viewtopic.php?f=1&t=3848&sid=2309b57228f8968e551c0187bee0e64e

Quote
Changed the list of supported encryption ciphers and order of preference to provide you with secure, speedy connections wherever possible.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 5726
Merit: 14694


View Profile
February 11, 2014, 11:47:27 PM
 #7

Yes, though I assume he did that in the code. It should be user-configurable.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
goozman96 (OP)
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 11, 2014, 11:52:42 PM
 #8

How is it that other sites score better then?
Example:
https://www.ssllabs.com/ssltest/analyze.html?d=transmitly.com

BTC: 19DKtsdGfQyFzNiEze9KuFQrWGiLDvg6F1 | LTC: LbV6UGyjYbVP49NvQFmuAnkADcaFYvNagK | NMC: NDCdMJmTmGH54Cezmo3CwSxAC7grAoZJbj
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 1078
Merit: 1002


BCJ


View Profile
February 12, 2014, 01:39:54 AM
 #9

This is alarming.

https://www.ssllabs.com/ssltest/analyze.html?d=bitcoin.org

goozman96 (OP)
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 12, 2014, 02:29:14 AM
 #10

LOL

BTC: 19DKtsdGfQyFzNiEze9KuFQrWGiLDvg6F1 | LTC: LbV6UGyjYbVP49NvQFmuAnkADcaFYvNagK | NMC: NDCdMJmTmGH54Cezmo3CwSxAC7grAoZJbj
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 3004


Terminated.


View Profile WWW
February 12, 2014, 05:50:39 AM
 #11

Excellent. How much more do we have to wait until it has been updated/upgraded? This leaves so much room for a potential second hack.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
goozman96 (OP)
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 22, 2014, 11:57:02 PM
 #12

Excellent. How much more do we have to wait until it has been updated/upgraded? This leaves so much room for a potential second hack.
Looks like it's been fixed.

BTC: 19DKtsdGfQyFzNiEze9KuFQrWGiLDvg6F1 | LTC: LbV6UGyjYbVP49NvQFmuAnkADcaFYvNagK | NMC: NDCdMJmTmGH54Cezmo3CwSxAC7grAoZJbj
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 1078
Merit: 1002


BCJ


View Profile
February 23, 2014, 03:14:36 AM
 #13

Excellent. How much more do we have to wait until it has been updated/upgraded? This leaves so much room for a potential second hack.
Looks like it's been fixed.

Very nice.
repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
February 23, 2014, 04:46:55 AM
 #14

LOL.


All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
February 23, 2014, 12:11:15 PM
Last edit: February 23, 2014, 12:25:16 PM by Justin00
 #15

good to see its fixed..

Swiss_Love
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 24, 2014, 09:25:20 AM
 #16

good to see its fixed..

+1
Mitchell
Staff
Legendary
*
Offline Offline

Activity: 4452
Merit: 2604


Verified awesomeness ✔


View Profile WWW
February 24, 2014, 04:55:47 PM
 #17


Funny thing. It's not fixed at all.





.
 betpanda.io 
 
ANONYMOUS & INSTANT
.......ONLINE CASINO.......
▄███████████████████████▄
█████████████████████████
█████████████████████████
████████▀▀▀▀▀▀███████████
████▀▀▀█░▀▀░░░░░░▄███████
████░▄▄█▄▄▀█▄░░░█▄░▄█████
████▀██▀░▄█▀░░░█▀░░██████
██████░░▄▀░░░░▐░░░▐█▄████
██████▄▄█░▀▀░░░█▄▄▄██████
█████████████████████████
█████████████████████████
█████████████████████████
▀███████████████████████▀
▄███████████████████████▄
█████████████████████████
██████████▀░░░▀██████████
█████████░░░░░░░█████████
███████░░░░░░░░░███████
████████░░░░░░░░░████████
█████████▄░░░░░▄█████████
███████▀▀▀█▄▄▄█▀▀▀███████
██████░░░░▄░▄░▄░░░░██████
██████░░░░█▀█▀█░░░░██████
██████░░░░░░░░░░░░░██████
█████████████████████████
▀███████████████████████▀
▄███████████████████████▄
█████████████████████████
██████████▀▀▀▀▀▀█████████
███████▀▀░░░░░░░░░███████
██████░░░░░░░░░░░░▀█████
██████░░░░░░░░░░░░░░▀████
██████▄░░░░░░▄▄░░░░░░████
████▀▀▀▀▀░░░█░░█░░░░░████
████░▀░▀░░░░░▀▀░░░░░█████
████░▀░▀▄░░░░░░▄▄▄▄██████
█████░▀░█████████████████
█████████████████████████
▀███████████████████████▀
.
SLOT GAMES
....SPORTS....
LIVE CASINO
▄░░▄█▄░░▄
▀█▀░▄▀▄░▀█▀
▄▄▄▄▄▄▄▄▄▄▄   
█████████████
█░░░░░░░░░░░█
█████████████

▄▀▄██▀▄▄▄▄▄███▄▀▄
▄▀▄█████▄██▄▀▄
▄▀▄▐▐▌▐▐▌▄▀▄
▄▀▄█▀██▀█▄▀▄
▄▀▄█████▀▄████▄▀▄
▀▄▀▄▀█████▀▄▀▄▀
▀▀▀▄█▀█▄▀▄▀▀

Regional Sponsor of the
Argentina National Team
Advertisements are not endorsed by me.
goozman96 (OP)
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 24, 2014, 06:38:39 PM
 #18

It used to be an F. It's not perfect, but it's been improved a great deal.

BTC: 19DKtsdGfQyFzNiEze9KuFQrWGiLDvg6F1 | LTC: LbV6UGyjYbVP49NvQFmuAnkADcaFYvNagK | NMC: NDCdMJmTmGH54Cezmo3CwSxAC7grAoZJbj
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 3004


Terminated.


View Profile WWW
February 24, 2014, 09:16:04 PM
 #19

Now it is okay, but an A+ is always welcome.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
markjamrobin
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250



View Profile
February 24, 2014, 10:11:42 PM
 #20

It used to be an F. It's not perfect, but it's been improved a great deal.

Why was it an F? What could possibly have been done?

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!