More security

[TheBigG.]

Hello,
since you are handling passwords it would be great if you could enable TLS for forum.maniaplanet.com which should be no problem since you have a wildcard certificate, also you could update your TLS settings for your websites like login.maniaplanet.com because they are weak.
If you don't know what you are doing you can follow this guides, may also take a look at Strict Transport Security and forbid unencryptet login. You can also take a look at https://code.google.com/p/mod-spdy/ for performance improvements.
https://wiki.mozilla.org/Security/Serve ... patibility
https://wiki.mozilla.org/Security/Serve ... TLS#Apache

Short:
1 Enable TLS 1.2
2 Disable SSLv3
3 Enable TLS for forum
3 Enable *AES_128_GCM_SHA256
5 Only use Ciphers that had Forward Secrecy

you can see here some things that are wrong
https://www.ssllabs.com/ssltest/analyze ... 33.248.149

Thank you

May also post updates here if you change something

[TMarc]

login.maniaplanet.com is something different to the forum, which is basically independent of the game platform.
Some users have their ManiaPlanet login as nick name, but not necessarily the same password, and if they have, I would also recommend them to use different passwords.

[TheBigG.]

that is no reason to don't use TLS for it. They only have to change the config of apache a little bit and maybe the forum if they use hard links on http.

[TMarc]

Did I write anything against it? Come down please, will you!?

[toffe]

I already asked one time earlier: http://forum.maniaplanet.com/viewtopic. ... 63#p225763

BTW. For the login.maniaplanet.com if running Apache2:

Code: Select all

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

SSLCompression off
SSLProtocol all -SSLv2 -SSLv3

Will make it A

[gouxim]

http://forum.maniaplanet.com/viewtopic. ... 71#p225768

[TheBigG.]

http://forum.maniaplanet.com/viewtopic. ... 71#p225768

that is fine, but the vulnerable to POODLE has to be fixed, asap. it can't be to much to add -SSLv3 to apache config and restart apache after that.

And if the mp's ssl lib can only SSLv3 we are doomed anyway

[TheBigG.]

still vulnerable, and weak.

[xrayjay]

Yes had to be fixed, also with the next firefox version 34, the browser doesn´t support anymore SSL 3.0 than
> http://googleonlinesecurity.blogspot.ca ... sl-30.html

And additional the http login page should forward automatically to the https one of the login.maniaplanet.com, the player.maniaplanet.com page didn´t use https, should be fixed and only point to login.maniaplanet.com

[TheBigG.]

still broken