Hi André,
On Wed, Jan 2, 2013 at 8:08 AM, André Hentschel nerv@dawncrow.de wrote:
Hi, FWIW i have just seen:
https://www.ssllabs.com/ssltest/analyze.html?d=testbot.winehq.org&hideRe...
https://www.ssllabs.com/ssltest/analyze.html?d=test.winehq.org&hideResul...
https://www.ssllabs.com/ssltest/analyze.html?d=winehq.org&hideResults=on...
which tells me we have some problems with secure website connection, the question is, do we need more security here?
The answer is, no.
More reasoning: in general, I don't think we're relying on any confidentiality in the patches we submit to testbot: anyone can connect and see the patches, as well as their test results. So no, I don't think problems with TLS on testbot are a concern, now or ever.
And in particular: the qualsys scan tells us that the cert we're using is vulnerable to the BEAST attack, and that the server is vulnerable to the CRIME attack. The BEAST and CRIME attacks can allow an attacker to learn the plaintext of a stable piece of ciphertext sent in many connections, e.g. an authentication cookie, without having learned the server's private key. In testbot's case, we do use cookie-based authentication after initial login, but at worst that'd allow an attacker to submit jobs as one of us developers, or cancel one of our test jobs, change our password, etc. I don't think this is much of a concern. --Juan