<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt><font size="-1">Update MediaWiki to remove this* attack vector<br>
*
<a class="moz-txt-link-freetext" href="http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html">http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html</a></font></tt><br>
<div class="moz-cite-prefix">On 01/31/2014 09:39 AM, Hans-Christoph
Steiner wrote:<br>
</div>
<blockquote cite="mid:52EBC3CB.8020509@guardianproject.info"
type="cite">
<pre wrap="">
On 01/31/2014 08:42 AM, Matej Kovacic wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="https://guardianproject.info/blog">https://guardianproject.info/blog</a> results in "Error establishing a
database connection"
</pre>
</blockquote>
</blockquote>
<pre wrap="">
Yup, its down, and the person with admin access is traveling in a far away land...
</pre>
<blockquote type="cite">
<pre wrap="">BTW, there is a SSL test:
<a class="moz-txt-link-freetext" href="https://www.ssllabs.com/ssltest/analyze.html?d=guardianproject.info">https://www.ssllabs.com/ssltest/analyze.html?d=guardianproject.info</a>
My recommendation is to enable TLS 1.1 and TLS 1.2 and disable SSL 3,
enable Perferct Forward Secrecy (in Apache you can use parameter
SSLDHParametersFile, but only from Apache 2.4.2
/etc/apache2/ssl/dhparam_4096.pem.
I would also recommend to enable Strict Transport Security (add this
into Apache config: Header add Strict-Transport-Security
"max-age=31536000").
There are also some certification paths issues, it seems you need to
add intermediate certificate to your Apache config. I would also
recommend to update OpenSSL (Lucy 13 attack is mitigated since 1.0.1
version).
It seems you have SSLHonorCipherOrder On, but to mitigate BEAST and
some other attacka I would recommend to add this parameter in your
Apache config:
SSLCipherSuite
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
</pre>
</blockquote>
<pre wrap="">
These are all things we want to do, but we don't have control over that part.
Its an old school web hosting package from our friends at mayfirst.org. So
we're asking them if this stuff can be improved.
.hc
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Guardian-dev mailing list
Post: <a class="moz-txt-link-abbreviated" href="mailto:Guardian-dev@lists.mayfirst.org">Guardian-dev@lists.mayfirst.org</a>
List info: <a class="moz-txt-link-freetext" href="https://lists.mayfirst.org/mailman/listinfo/guardian-dev">https://lists.mayfirst.org/mailman/listinfo/guardian-dev</a>
To Unsubscribe
Send email to: <a class="moz-txt-link-abbreviated" href="mailto:Guardian-dev-unsubscribe@lists.mayfirst.org">Guardian-dev-unsubscribe@lists.mayfirst.org</a>
Or visit: <a class="moz-txt-link-freetext" href="https://lists.mayfirst.org/mailman/options/guardian-dev/shootakite%40riseup.net">https://lists.mayfirst.org/mailman/options/guardian-dev/shootakite%40riseup.net</a>
You are subscribed as: <a class="moz-txt-link-abbreviated" href="mailto:shootakite@riseup.net">shootakite@riseup.net</a>
</pre>
</blockquote>
<br>
</body>
</html>