Re: Government of Mauritius website allows weak security

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Mon, 29 Jun 2015 02:38:50 -0700

Hi Ish,
At 00:17 29-06-2015, Ish Sookun wrote:
>The word threat can be categorized as having
>several levels. I read RFC 7465 [1] and its
>status is a "proposed standard". A proposed [2]
>standard can be regarded as something desirable.
>You apply it unless you have a reason for not doing so.

The document about "Proposed Standard" is at
http://www.rfc-editor.org/rfc/rfc7127.txt RFC
7465, which Logan referenced in his blog article,
"requires that Transport Layer Security (TLS)
clients and servers never negotiate the use of
RC4 cipher suites when they establish
connections". The "Bar Mitzvah" attack raised
questions about the security of RC4 for TLS as it
is no longer considered as providing a sufficient level of security.

The following is from a Supreme Court document in
which you are mentioned: "He went on to explain
that it is possible to have access to the MNIS
database through a proxy attack – which is an
indirect attack – via the government
portal". What level of security would someone
recommend for https://www.govmu.org ? How about
the level of security recommended for
https://mail.govmu.org ? For the average user,
security might be about seeing the "padlock" or
"https" in the address bar of the web
browser. Is that a reason to ignore RFC 7465? :-)

Regards,
S. Moonesamy
Received on Mon Jun 29 2015 - 09:39:30 PST

This archive was generated by hypermail 2.3.0 : Mon Jun 29 2015 - 09:45:02 PST