search

Eclipse-Community / forum

http://forum.eclipse.cx/
BSD 2-Clause "Simplified" License
0 stars 0 forks source link

Add notifier message if a browser that connects to the forum is using a outdated version of TLS or a outdated cipher. Also, preferably allow and prefer use of the Camellia cipher. #4

Open K4sum1 opened 3 years ago

K4sum1 commented 3 years ago

The warning message will be in a red color, at the top of the screen, warning the user that they're not securely connected to the forum with TLS 1.2+ or Camellia. (Need to make this mockup) SSL 3.0 and older will be flat unsupported.

If HTTP is used, the forum will still be accessible, but the user will be unable to log in, and there will be a warning message displayed notifying the user of this.

The Camellia cipher is a superior cipher that has no known cryptographic weaknesses, and hasn't been broken once, but it underrepresented in modern browsers. This change will more benefit Pale Meme, New Moon, MyPal, and Firefox 3-36.x users.

I don't know if Eclipse will follow Camellia Appreciation Day by only using the Camellia cipher on Februrary 12th, but I at least want best cipher able to be used.

ghost commented 3 years ago

There's actually code in ABXD 2.2.6 that detects older browser versions and displays a warning message with the amusing id of #getabetterbrowseryoulazyfuck.

That CSS ID/attribute could probably be redone for this. (What is Camellia? Never heard of it.)

Seeing as there's functions to grab the forum's URL with and without a slash automatically, part of this is more than likely doable with a plugin implementation (which is how I want to do it, as not everyone will want this particularly on a dev/test environment). The cipher suite thing though? Not entirely certain :P

K4sum1 commented 3 years ago

There's actually code in ABXD 2.2.6 that detects older browser versions and displays a warning message with the amusing id of #getabetterbrowseryoulazyfuck.

That CSS ID/attribute could probably be redone for this. (What is Camellia? Never heard of it.)

Seeing as there's functions to grab the forum's URL with and without a slash automatically, part of this is more than likely doable with a plugin implementation (which is how I want to do it, as not everyone will want this particularly on a dev/test environment). The cipher suite thing though? Not entirely certain :P

Well, this would need to detect a cipher, not a browser version, though the cipher could be determined from the useragent, but plenty of people do useragent mods, so this would be a useless way to determine that.

https://en.wikipedia.org/wiki/Camellia_(cipher) You'll probably need to modify Apache for this, bit less of a forum issue.

Plugin would likely be best.

ghost commented 3 years ago

I already gathered that from the original post. As I said, the checking of supported ciphers would be harder and it would be more difficult to implement it.

I'm not sure if it would be dependent on the server configuration (whether one is using PHP-Apache or PHP-CGI with Apache and/or NGINX), so whether it works everywhere or not isn't a given, I'd have to do some extensive testing first. :P