Can anyone from OSU chime in on this issue re: Code4Lib? It would be
great if someone over there can address the issues with the SSL cert
(expired in 2008?), but if not, do you have suggestions for getting it
resolved?
My understanding is that making https requests to code4lib.org uses
encryption, it's just an obsolete cipher... and the login data for
Drupal/Wiki sites is transmitted without encryption.
-Shaun
On 9/17/15 1:11 PM, LeVan,Ralph wrote:
> I forwarded the VIAF complaint to our network folks. They were able to fix it some, but a complete fix will not happen for a while.
>
> Here's their message:
>
> I changed the load balancer parameters for this farm viaf.org:443 to raise the "grade" from "F" to "C".
> To get it higher will take an OS upgrade on the load balancer which will happen later this year.
>
> Ralph
>
>
> -----Original Message-----
> From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of stuart yeates
> Sent: Sunday, September 06, 2015 5:52 AM
> To: [log in to unmask]
> Subject: Re: code4lib services and https
>
> SSL is security theatre unless people start doing it better.
>
> SSL is a layer of complexity, it's easy to get wrong and the library community is systematically getting it wrong (picking on some big names, because they're tough enough to take it, not because they noticeably do it any better or worse):
>
> https://www.ssllabs.com/ssltest/analyze.html?d=viaf.org
> https://www.ssllabs.com/ssltest/analyze.html?d=code4lib.org
> https://www.ssllabs.com/ssltest/analyze.html?d=loc.gov
>
> I'd implore you to check a couple of sites local to you and ping the administrators if it doesn't get the all clear.
>
> In some cases there are reasons why security might be lagging on a particular site (third party hosting, third party client connecting using out-of-date SSL libraries, need to support many-years-out-of-patch-cycle browsers, etc), but that's the kind of thing that needs to be an explicit policy.
>
> cheers
> stuart
>
|