saerdnaer
commented
5 years ago As of today we have only https only cdn peers.
Closed sfmfosja closed 5 years ago
saerdnaer
commented
5 years ago As of today we have only https only cdn peers.
media.ccc.de is using by default a insecure connection. For some reason its always taking when i press play on the website http://mirror.eu.oneandone.net/projects/media.ccc.de/ That is the ONLY big mirror that does not support security. Happily when you enable in the addon "HTTPS everywhere" the option "block all unencrypted connections" it does not start to load insecure traffic where everyone in the middle can modify the whole traffic and attack my webbrowser. I know that ccc-internally in 2017 often is been told, that now we have more then enough mirrors and traffic. Please throw away all the non-https mirrors away, enable forwarding to https and HSTS+HSTS-Preload+HPKP. I don't know why on the servers TLS1.1 is enabled but TLS1.0 disabled. Normally you only have legacy clients that support TLS1.0. Typically they support TLS1.2 or TLS1.0. There are not a noticeable amount of "TLS1.1 or lower" clients. So please disable TLS1.1.
Here a example of a secure configured webserver (still missing HPKP) : https://www.ssllabs.com/ssltest/analyze.html?d=mailbox.org
Thanks
PS: This is not a duplicate of #191 . Its not about any "option". Its about "please kill insecure traffic that can be used to attack users of media.ccc.de"