Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: forums.embarcadero.com has a weak public Diffie-Hellman key?..



Permlink Replies: 10 - Last Post: Jun 17, 2015 2:09 PM Last Post By: Robert Love
Alex Belo

Posts: 626
Registered: 10/8/06
forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 4:06 AM
Hi all.

When I'm trying to open this https://forums.embarcadero.com in Opera I
see this message now (in reverse translation from Russian):


Server has a weak public Diffie-Hellman key

This error can occur when connecting to a secure (HTTPS) server. This
means that the server tries to establish a secure connection, but
because of a critical error configuration server connection is not to
be protected.

It is necessary to fix the bug server settings. To protect your
privacy, Opera will not use unprotected connection.


And ... now what?

--
Alex
Jeff Overcash (...

Posts: 1,529
Registered: 9/23/99
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 9:29 AM   in response to: Alex Belo in response to: Alex Belo
Alex Belo wrote:
Hi all.

When I'm trying to open this https://forums.embarcadero.com in Opera I
see this message now (in reverse translation from Russian):

Server has a weak public Diffie-Hellman key

This error can occur when connecting to a secure (HTTPS) server. This
means that the server tries to establish a secure connection, but
because of a critical error configuration server connection is not to
be protected.

It is necessary to fix the bug server settings. To protect your
privacy, Opera will not use unprotected connection.


And ... now what?

--
Alex

Either use a different browser or downgrade to Opera ver 29. Opera does not
allow for disabling their weak detection (anything less than 1024 bit).

--
Jeff Overcash (TeamB)
(Please do not email me directly unless asked. Thank You)
And so I patrol in the valley of the shadow of the tricolor
I must fear evil. For I am but mortal and mortals can only die.
Asking questions, pleading answers from the nameless
faceless watchers that stalk the carpeted corridors of Whitehall.
(Fish)
Alex Belo

Posts: 626
Registered: 10/8/06
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 10:46 AM   in response to: Jeff Overcash (... in response to: Jeff Overcash (...
Jeff Overcash (TeamB) wrote:

Either use a different browser or downgrade to Opera ver 29. Opera
does not allow for disabling their weak detection (anything less than
1024 bit).

Ouch:

http://blogs.opera.com/security/2015/06/unjam-the-logjam/

I don't understand anything about web security but I think this
decision can not be thoughtless...

--
Alex
Jeff Overcash (...

Posts: 1,529
Registered: 9/23/99
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 11:25 AM   in response to: Alex Belo in response to: Alex Belo
Alex Belo wrote:
Jeff Overcash (TeamB) wrote:

Either use a different browser or downgrade to Opera ver 29. Opera
does not allow for disabling their weak detection (anything less than
1024 bit).

Ouch:

http://blogs.opera.com/security/2015/06/unjam-the-logjam/

I don't understand anything about web security but I think this
decision can not be thoughtless...

--
Alex

Well this decision is not agreed with by Chrome, IE, FireFox, Safari or any
other browser I know of. This server is actually a pretty reasonable example of
why at least being able to white list sites you want to be able to see should
have been implemented.

--
Jeff Overcash (TeamB)
(Please do not email me directly unless asked. Thank You)
And so I patrol in the valley of the shadow of the tricolor
I must fear evil. For I am but mortal and mortals can only die.
Asking questions, pleading answers from the nameless
faceless watchers that stalk the carpeted corridors of Whitehall.
(Fish)
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 11:52 AM   in response to: Alex Belo in response to: Alex Belo
Alex Belo wrote:

Ouch:

http://blogs.opera.com/security/2015/06/unjam-the-logjam/

I don't understand anything about web security but I think this
decision can not be thoughtless...

It's not. You could probably get away with using a 1024 bit RSA key,
but using 1024 bit DHE is completely pointless. Considering the
performance issues and downtime, you would be better off not using SSL
at all.
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 11:53 AM   in response to: Alex Belo in response to: Alex Belo
Alex Belo wrote:

Ouch:

http://blogs.opera.com/security/2015/06/unjam-the-logjam/

I don't understand anything about web security but I think this
decision can not be thoughtless...

It's not. You could probably get away with using a 1024 bit RSA key,
but using 1024 bit DHE is completely pointless. Considering the
performance issues and downtime, you would be better off not using SSL
at all.
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 11:53 AM   in response to: Alex Belo in response to: Alex Belo
Alex Belo wrote:

Ouch:

http://blogs.opera.com/security/2015/06/unjam-the-logjam/

I don't understand anything about web security but I think this
decision can not be thoughtless...

It's not. You could probably get away with using a 1024 bit RSA key,
but using 1024 bit DHE is completely pointless. Considering the
performance issues and downtime, you would be better off not using SSL
at all.
Robert Love

Posts: 155
Registered: 5/3/07
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 1:30 PM   in response to: Jeff Overcash (... in response to: Jeff Overcash (...
Jeff Overcash (TeamB) wrote:
Either use a different browser or downgrade to Opera ver 29. Opera does not
allow for disabling their weak detection (anything less than 1024 bit).

What a scary and insecure answer.

Does Embarcadero care the data they control? If they do they will get a certificate that is secure. I have noticed there certs old and need to updated for quite some time. But I figured they were smart and be monitoring the security of their sites, and would act on this, but I have seen no action.
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 1:40 PM   in response to: Robert Love in response to: Robert Love
Robert Love wrote:

Jeff Overcash (TeamB) wrote:
Either use a different browser or downgrade to Opera ver 29. Opera
does not allow for disabling their weak detection (anything less
than 1024 bit).

What a scary and insecure answer.

Does Embarcadero care the data they control? If they do they will
get a certificate that is secure. I have noticed there certs old
and need to updated for quite some time. But I figured they were
smart and be monitoring the security of their sites, and would act
on this, but I have seen no action.

This has nothing to do with the (RSA) certificate. It is the SSL
implementation, or the configuration of the implementation, that
determines the DHE key sizes. Changing the the SSL implementation is a
bit more tricky than just getting a new certificate, but both things
are of course perfectly doable.
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 1:48 PM   in response to: Robert Love in response to: Robert Love
Robert Love wrote:

Jeff Overcash (TeamB) wrote:
Either use a different browser or downgrade to Opera ver 29. Opera
does not allow for disabling their weak detection (anything less
than 1024 bit).

What a scary and insecure answer.

Does Embarcadero care the data they control? If they do they will
get a certificate that is secure. I have noticed there certs old
and need to updated for quite some time. But I figured they were
smart and be monitoring the security of their sites, and would act
on this, but I have seen no action.

This has nothing to do with the (RSA) certificate. It is the SSL
implementation, or the configuration of the implementation, that
determines the DHE key sizes. Changing the the SSL implementation is a
bit more tricky than just getting a new certificate, but both things
are of course perfectly doable.
Robert Love

Posts: 155
Registered: 5/3/07
Re: forums.embarcadero.com has a weak public Diffie-Hellman key?..
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jun 17, 2015 2:09 PM   in response to: Henrick Hellström in response to: Henrick Hellström
Henrick Hellström wrote:
This has nothing to do with the (RSA) certificate. It is the SSL
implementation, or the configuration of the implementation, that
determines the DHE key sizes. Changing the the SSL implementation is a
bit more tricky than just getting a new certificate, but both things
are of course perfectly doable.

Thank you, I did not understand the problem correctly.

I have noticed it's not just the forums site this problem.

https://community.embarcadero.com
https://edn.embarcadero.com/
https://cc.embarcadero.com/
https://quality.embarcadero.com/

I have also noticed that the sites also resolve http and https instead of http redirecting to https
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02