GitLab

Hi,

I ran a few tests for SSL weaknesses on certain Torproject websites using Qualys SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest) and observed a few issues that I thought I'll bring to your attention.

ar-blog.torproject.org Report: https://www.ssllabs.com/ssltest/analyze.html?d=ar-blog.torproject.org&hideResults=on Issue 1: Expired certificate Issue 2: Server is easier to attack via DoS because it supports client-initiated renegotiation.

fa-blog.torproject.org Report: https://www.ssllabs.com/ssltest/analyze.html?d=fa-blog.torproject.org&hideResults=on Issue 1: Expired certificate Issue 2: Server is easier to attack via DoS because it supports client-initiated renegotiation.

motor.torproject.org Report: https://www.ssllabs.com/ssltest/analyze.html?d=motor.torproject.org&hideResults=on Issue 1: Mismatched certificate (valid for blog.torproject.org)

In addition, the following do not have TLS1.2 enabled: ar-blog.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=ar-blog.torproject.org&hideResults=on bahri.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=bahri.torproject.org&hideResults=on check.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=check.torproject.org&hideResults=on check2.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=check2.torproject.org&hideResults=on fa-blog.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=fa-blog.torproject.org&hideResults=on gitweb.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=gitweb.torproject.org&hideResults=on jepsonii.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=jepsonii.torproject.org&hideResults=on sergii.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=sergii.torproject.org&hideResults=on trac-vidalia.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=trac-vidalia.torproject.org&hideResults=on weather.torproject.org https://www.ssllabs.com/ssltest/analyze.html?d=weather.torproject.org&hideResults=on

The following URLs listed in Google search were tested. If there are any that I've missed, I recommend checking them using https://www.ssllabs.com/ssltest

alberti.torproject.org ar-blog.torproject.org archive.torproject.org atlas.torproject.org bahri.torproject.org blog.torproject.org bridges.torproject.org bugs.torproject.org bwauth.torproject.org censorshipwiki.torproject.org check.torproject.org check2.torproject.org cloud.torproject.org compass.torproject.org db.torproject.org deb.torproject.org dist.torproject.org doxygen.torproject.org eugeni.torproject.org exonerator.torproject.org fa-blog.torproject.org gayi.torproject.org gitweb.torproject.org help.torproject.org jenkins.torproject.org jepsonii.torproject.org lists.torproject.org majus.torproject.org media.torproject.org metrics.torproject.org motor.torproject.org nova.torproject.org onionoo.torproject.org ooni.torproject.org people.torproject.org perdulce.torproject.org ponticum.torproject.org research.torproject.org rude.torproject.org schmitzi.torproject.org sergii.torproject.org stellatum.torproject.org stem.torproject.org svn.torproject.org tanguticum.torproject.org thandy.torproject.org trac.torproject.org trac-vidalia.torproject.org troodi.torproject.org weather.torproject.org www.torproject.org yatei.torproject.org

Cheers!

Disclaimer: I'm not in any way associated with SSLLabs or Qualys.