Talk:SSL Encryption: Difference between revisions

From AniDB
Jump to navigation Jump to search
(SSL Key Changed, Never Documented?)
 
(→‎Security?: new section)
Line 32: Line 32:
start: 1272957972 - Tue May 04 2010
start: 1272957972 - Tue May 04 2010
end:  1303542973 - Sat Apr 23 2011
end:  1303542973 - Sat Apr 23 2011
== Security? ==
"All requests for images, stylesheets and other page elements are NOT encrypted. Such requests should usually not be directed towards "anidb.net" but rather towards specific subdomains [and] do not include the AniDB authentication cookies and should thus not allow attackers to hijack your AniDB session."
You guys are aware there are ways to use css to trick various browsers into executing scripts, and hence running code that hijacks sessions and bypasses https... right? [[User:Dantman|Dantman]] 02:23, 19 November 2012 (CET)

Revision as of 01:23, 19 November 2012

The stated SSL cert fingerprints appear out of date:

Notary Lookup for: anidb.net:443,2 Browser's Key = '95:ee:24:b6:c6:5d:32:74:a1:50:48:bb:73:7a:93:ea' Results: Quorum duration: 0.1 days Notary Observations:

Notary: cmu.ron.lcs.mit.edu:8080 ssl key: '95:ee:24:b6:c6:5d:32:74:a1:50:48:bb:73:7a:93:ea' start: 1303548229 - Sat Apr 23 2011 end: 1303548232 - Sat Apr 23 2011

Notary: convoke.ron.lcs.mit.edu:8080 ssl key: '39:ba:e3:5b:90:a0:c4:ff:1b:c7:32:00:67:bc:ca:aa' start: 1270897465 - Sat Apr 10 2010 end: 1272922215 - Mon May 03 2010 ssl key: '95:ee:24:b6:c6:5d:32:74:a1:50:48:bb:73:7a:93:ea' start: 1272922216 - Mon May 03 2010 end: 1303542914 - Sat Apr 23 2011

Notary: mvn.ron.lcs.mit.edu:8080 ssl key: '95:ee:24:b6:c6:5d:32:74:a1:50:48:bb:73:7a:93:ea' start: 1303542022 - Sat Apr 23 2011 end: 1303542434 - Sat Apr 23 2011

Notary: hostway.ron.lcs.mit.edu:8080 ssl key: '39:ba:e3:5b:90:a0:c4:ff:1b:c7:32:00:67:bc:ca:aa' start: 1270897465 - Sat Apr 10 2010 end: 1272957971 - Tue May 04 2010 ssl key: '95:ee:24:b6:c6:5d:32:74:a1:50:48:bb:73:7a:93:ea' start: 1272957972 - Tue May 04 2010 end: 1303542973 - Sat Apr 23 2011

Security?

"All requests for images, stylesheets and other page elements are NOT encrypted. Such requests should usually not be directed towards "anidb.net" but rather towards specific subdomains [and] do not include the AniDB authentication cookies and should thus not allow attackers to hijack your AniDB session."

You guys are aware there are ways to use css to trick various browsers into executing scripts, and hence running code that hijacks sessions and bypasses https... right? Dantman 02:23, 19 November 2012 (CET)