Page MenuHome GnuPG
Create Task
Maniphest T1544

www.gnupg.org does not use ECC
Closed, ResolvedPublic
Actions

Description

Hello, I found some issues with the HTTPS version of your page:

  1. there is mixed HTTP/HTTPS content on the page. When opening with

https://www.gnupg.org, the are images which are transfered with HTTP (from w3c.org).

  1. The intermediate CA, CAcert Class 3 Root, uses MD5withRSA which is weak See the analysis https://www.ssllabs.com/ssltest/analyze.html?d=www.gnupg.org
  1. Weak ciphers are ofered by your server, RC2, RC4, DES https://www.ssllabs.com/projects/best-practices/index.html
  1. Please consider enabling STARTTLS for SMTP traffic on your mail server

ns1.u64.de.

Event Timeline

milankral added projects: gpgweb, Bug Report.Oct 4 2013, 8:47 AM
milankral added a subscriber: milankral.
werner added a subscriber: werner.Oct 7 2013, 5:06 PM

Right: PKIX (as used by HTTPS) is not secure - we all know that.

STARTTLS for public mailing lists does not make any sense.

milankral added a comment.Oct 8 2013, 7:52 PM

390_unnamed946 BDownload

milankral added a comment.Oct 8 2013, 7:52 PM

It would be nice to have this correct. HTTPS is far from perfect solution, but it's still one additional layer of protection. (Everybody should check the signatures on downloaded packages).

Will you support RFC 6091 ?

  • Mon, 07 Oct 2013 15:06:01 +0000 - wk@gnupg.org, "Werner Koch via BTS" <gnupg@bugs.g10code.com> **

Werner Koch <wk@gnupg.org> added the comment:

Right: PKIX (as used by HTTPS) is not secure - we all know that.

STARTTLS for public mailing lists does not make any sense.

status: unread -> chatting

g10 Code's BTS <gnupg@bugs.g10code.com>
<T1544>

werner closed this task as Resolved.Aug 11 2015, 12:26 PM
werner claimed this task.

Should all be fixed in the meantime.

milankral reopened this task as Open.Aug 12 2015, 3:58 PM
  1. Your web server doesn't support ECC DH key exchange.
  2. Your web server is using DH key exchange with a 1024-bit group.
werner added a comment.Aug 13 2015, 6:26 PM

And it uses an older version of Debian on too old hardware.
No user accounts there put only public information. Thus it is not a primary
attack target.

werner renamed this task from the HTTPS on www.gnupg.org is not secure to www.gnupg.org does not use ECC.Aug 13 2015, 6:26 PM
werner lowered the priority of this task from Normal to Wishlist.
werner removed a project: Bug Report.
werner added a project: Feature Request.
werner closed this task as Resolved.Apr 3 2017, 11:03 PM

This has been fixed quite some time ago.