Page MenuHomePhabricator

SSL RSA keys should be at least 2048 bits
Closed, ResolvedPublic

Description

We received a set of suggestions on OTRS about how the secure server should be improved. The user linked to the security tester (given in bug URL). I am not allowed to disclose the text of the email (#2011021210007633), but here is a brief summary of the suggestions:

  • Disable SSL2 since it is vulnerable,
  • Use at least 2048 bits for our RSA key,
  • Serve images through SSL (we already have a bug for it).

Version: unspecified
Severity: enhancement
URL: https://www.ssllabs.com/ssldb/analyze.html?d=secure.wikimedia.org

Details

Reference
bz27909

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:37 PM
bzimport added a project: HTTPS.
bzimport set Reference to bz27909.
bzimport added a subscriber: Unknown Object (MLST).

(In reply to comment #0)

  • Disable SSL2 since it is vulnerable,

I believe this is bug 24332.

  • Serve images through SSL (we already have a bug for it).

Bug 16822 and possibly another one I can't find atm.

bugs wrote:

Should we turn this into a tracking bug then?

matt wrote:

I have split SSLv2 off to bug 29014 and am making this bug report about the RSA key length, so we have individual bug reports blocking the secure server tracking bug.

secure.wikimedia.org is now obsolete. We support SSL connection using the usual
DNS entry such as https://en.wikipedia.org/

SSL2 is disabled.
We use a 2048 bits RSA cert
Images are served with HTTPS whenever needed.