Time to improve the site security?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • TECK
    Senior Member
    • Dec 2001
    • 1508
    • 3.8.x

    Time to improve the site security?

    Hi,

    A quick check on SSL Labs shows that vBulletin.com is currently vulnerable to Beast, DDoS and MITM attacks. To protect the site identity, I've ran the statistics in hidden mode.
    Floren Munteanu
    Axivo Inc.
    Axivo Searchlight - Turbocharge your web site
  • AdrianH
    Senior Member
    • Sep 2007
    • 508

    #2
    Indeed the Security/Anti fraud system within Opera states that this site is insecure and not to use it to transmit sensitive information.

    Comment

    • Alfa1
      Senior Member
      • Dec 2005
      • 4165
      • 3.8.x

      #3
      Originally posted by AdrianH
      Indeed the Security/Anti fraud system within Opera states that this site is insecure and not to use it to transmit sensitive information.
      That just means that content is loaded from both http as https. Nothing more.
      I buy 420 forums

      Comment

      • Maurd
        Senior Member
        • Jun 2011
        • 672
        • 4.1.x

        #4
        I haven't used Opera in some time, but I recall it complaining about this server's lack of the renegotiation extension and due to that, assuming the software may be "old and insecure".

        Doesn't hold much water IMO. Same goes for BEAST since apparently even PayPal is "vulnerable" to it.
        - Maurice Workin' in the Jira mine, goin' down, down, down

        Comment

        • TECK
          Senior Member
          • Dec 2001
          • 1508
          • 3.8.x

          #5
          Originally posted by Maurd
          Same goes for BEAST since apparently even PayPal is "vulnerable" to it.
          And DDoS also, LOL. I see that some of their servers software is getting updated... Better late than never. Google are clean, though... on top of that they use EC.
          Floren Munteanu
          Axivo Inc.
          Axivo Searchlight - Turbocharge your web site

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73976

            #6
            I'll bring these up at the weekly support meeting but we don't have complete control over our servers. They are managed and maintained by Internet Brand's Networking and Unix departments.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • TECK
              Senior Member
              • Dec 2001
              • 1508
              • 3.8.x

              #7
              Thanks Wayne, much appreciated.
              We use the same setup present on Google secure servers. The Axivo score is a little better because we enabled support for TLS 1.1/1.2 and added few extra ciphers.

              For those not familiar with BEAST, this is how easy it is to gain control over your Paypal account:



              The video was made by 2 security experts, in order to make the technical audience react to the dangers of insecure SSL setups in both client and server sides.
              Last edited by TECK; Sat 19 May '12, 7:48pm.
              Floren Munteanu
              Axivo Inc.
              Axivo Searchlight - Turbocharge your web site

              Comment

              • Paul M
                Former Lead Developer
                vB.Com & vB.Org
                • Sep 2004
                • 9886

                #8
                We have an uncommon SSL set-up here (which is why vB has problems with it). The SSL requests dont actually terminate on the server.
                Baby, I was born this way

                Comment

                • Maurd
                  Senior Member
                  • Jun 2011
                  • 672
                  • 4.1.x

                  #9
                  Originally posted by TECK
                  And DDoS also, LOL. I see that some of their servers software is getting updated... Better late than never. Google are clean, though... on top of that they use EC.
                  Yup.

                  BTW, thank you for posting this. I like little tools like those. https://www.ssllabs.com/ssltest/anal...hideResults=on
                  - Maurice Workin' in the Jira mine, goin' down, down, down

                  Comment

                  • TECK
                    Senior Member
                    • Dec 2001
                    • 1508
                    • 3.8.x

                    #10
                    Originally posted by Maurd
                    BTW, thank you for posting this. I like little tools like those. https://www.ssllabs.com/ssltest/anal...hideResults=on
                    I like that you filter the ciphers list. I would also disable the Strict Transport Security.
                    And switch to EC ciphers, they are faster and more secure.

                    If you run on Redhat/CentOS, use the Axivo rpm's. I have enabled the Google 64bits optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange. Axivo is the only repository offering OpenSSL compiled with Google's EC enhancements. As far as I know, only Axivo, Google and a client of mines run the optimized EC in production websites. Not even Facebook has it implemented.

                    This basically protects a https-secured session from being retroactively decrypted, according to Adam Langley, a member of the Google security team. So if a bad guy will attempt to decrypt SSL sessions he had recorded, he would be unable to do so. Compared to previous RSA tests on OpenSSL 1.0.1c, the atomic elliptic curve operations are up to 4 times faster and the implementation is immune to timing attacks.

                    Another plus for Axivo rpm's is the OpenSSL SCTP support. It is technically impossible to compile SCTP into OpenSSL with the libraries available in either 5 or 6 distro releases. Yet, we offer it to everyone.
                    Last edited by TECK; Sat 19 May '12, 7:49pm.
                    Floren Munteanu
                    Axivo Inc.
                    Axivo Searchlight - Turbocharge your web site

                    Comment

                    • Maurd
                      Senior Member
                      • Jun 2011
                      • 672
                      • 4.1.x

                      #11
                      Originally posted by TECK
                      Switch to EC, faster and more secure.

                      If you run on Redhat, use the Axivo rpm's. I have enabled the Google 64bits optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange. As far as I know, only Axivo, Google and a client of mines run the optimized EC in production. Not even Facebook has it implemented.

                      Compared to previous RSA tests on OpenSSL 1.0.1c, the atomic elliptic curve operations are up to 4 times faster. The implementation is immune to timing attacks.
                      Ubuntu 10.04. I moved away from the RHEL/CentOS scene about a year ago.
                      - Maurice Workin' in the Jira mine, goin' down, down, down

                      Comment

                      • TECK
                        Senior Member
                        • Dec 2001
                        • 1508
                        • 3.8.x

                        #12
                        You can still use EC as is enabled into Ubuntu packages, although is not as fast as Google's optimized EC. I see you run Apache, use the ECDHE-RSA-RC4-SHA:RC4-SHA ciphers with SSLHonorCipherOrder on (Apache 2.3.3+).

                        The server overhead is higher with regular EC and Google optimized 64bits EC, compared to RSA:
                        (DHE is a real disaster for performance)



                        Still, I would rather have a bit of stress on server and run everything secure.
                        With Google EC, the keys exchange is 4 times faster compared to regular EC.

                        Originally posted by Maurd
                        I moved away from the RHEL/CentOS scene about a year ago.
                        That is because you did not know about Axivo. Switch back to CentOS.
                        And for the love of God, please use Nginx.
                        Last edited by TECK; Sun 20 May '12, 9:57am.
                        Floren Munteanu
                        Axivo Inc.
                        Axivo Searchlight - Turbocharge your web site

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...