privacyguides
/
privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

Software Removal | Frendica #2355

New Issue
Closed
opened 2021-06-23 10:15:27 +00:00 by ghost · 8 comments
ghost commented 2021-06-23 10:15:27 +00:00 (Migrated from github.com)
Copy Link

Description

I propose the removal of Frendica.

Why I am making the suggestion

The Frendica website does not support AEAD Cipher.
This means that the website cannot be viewed securely.
https://friendi.ca/

My connection with the software

No connection

  • I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
## Description I propose the removal of Frendica. ## Why I am making the suggestion The Frendica website does not support AEAD Cipher. This means that the website cannot be viewed securely. https://friendi.ca/ ## My connection with the software No connection - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
samuel-lucas6 commented 2021-06-23 10:45:11 +00:00 (Migrated from github.com)
Copy Link

The website uses HTTPS, so it seems that it can be viewed securely.

Edit: I should have been more specific in my initial reply. Not supporting AEADs does not immediately make things insecure. AES-CBC + HMAC is a common combination that is secure when implemented correctly and still widely used. In fact, using HMAC can actually lead to better security than using AEADs like AES-GCM. The TLS version is what's important here, and the website is using TLS 1.2 in most cases, which is fine (please see my later reply).

The website uses HTTPS, so it seems that it can be viewed securely. Edit: I should have been more specific in my initial reply. Not supporting AEADs does not immediately make things insecure. AES-CBC + HMAC is a common combination that is secure when implemented correctly and still widely used. In fact, using HMAC can actually lead to better security than using AEADs like AES-GCM. The TLS version is what's important here, and the website is using TLS 1.2 in most cases, which is fine (please see my later reply).
rusty-snake commented 2021-06-23 10:52:13 +00:00 (Migrated from github.com)
Copy Link

I tried 6 server from https://dir.friendica.social/servers and ALL supported TLS 1.3.

TLS 1.3 spec:

Those that remain are all Authenticated Encryption with Associated Data (AEAD) algorithms.

I tried 6 server from https://dir.friendica.social/servers and ALL supported TLS 1.3. [TLS 1.3 spec](https://datatracker.ietf.org/doc/html/rfc8446): > Those that remain are all Authenticated Encryption with Associated Data (AEAD) algorithms.
👍 1
ghost commented 2021-06-23 11:22:41 +00:00 (Migrated from github.com)
Copy Link

https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132

https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132
samuel-lucas6 commented 2021-06-23 11:44:32 +00:00 (Migrated from github.com)
Copy Link

https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132

It uses TLS 1.2 for me. It's really not great that it supports TLS 1.0 and 1.1 and doesn't support TLS 1.3, but TLS 1.2 is acceptable if configured properly and is still used by the majority of websites.

> > > https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132 It uses TLS 1.2 for me. It's really not great that it supports TLS 1.0 and 1.1 and doesn't support TLS 1.3, but TLS 1.2 is acceptable if configured properly and is still used by the majority of websites.
ghost commented 2021-06-23 12:00:24 +00:00 (Migrated from github.com)
Copy Link

https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132

It uses TLS 1.2 for me. It's really not great that it supports TLS 1.0 and 1.1 and doesn't support TLS 1.3, but TLS 1.2 is acceptable if configured properly and is still used by the majority of websites.

Why do you keep going off topic?
I have a problem with the lack of AES-GCM (or Chacha20) in the cipher list.
I don't see the TLS version as a problem.

> > https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132 > > It uses TLS 1.2 for me. It's really not great that it supports TLS 1.0 and 1.1 and doesn't support TLS 1.3, but TLS 1.2 is acceptable if configured properly and is still used by the majority of websites. Why do you keep going off topic? I have a problem with the lack of AES-GCM (or Chacha20) in the cipher list. I don't see the TLS version as a problem.
ghost commented 2021-06-23 12:01:12 +00:00 (Migrated from github.com)
Copy Link

This server does not support Authenticated encryption (AEAD) cipher suites.

https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132

> This server does not support Authenticated encryption (AEAD) cipher suites. https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132
rusty-snake commented 2021-06-23 12:42:42 +00:00 (Migrated from github.com)
Copy Link

I have a problem with the lack of AES-GCM (or Chacha20) in the cipher list.
I don't see the TLS version as a problem.

The cipher list has to do with the TLS version.

TLS 1.0 / TLS 1.1: unsecure
TLS 1.2: secure/unsecure (AES-GCM/ChaCha20/... and legacy ciphers)
TLS 1.3: secure (only secure ciphers)

This server does not support Authenticated encryption (AEAD) cipher suites.

https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132

It's only their homepage. Login is done on other servers.

@cookiepanda1 did you contacted friendica?

> I have a problem with the lack of AES-GCM (or Chacha20) in the cipher list. I don't see the TLS version as a problem. The cipher list has to do with the TLS version. TLS 1.0 / TLS 1.1: unsecure TLS 1.2: secure/unsecure (AES-GCM/ChaCha20/... and legacy ciphers) TLS 1.3: secure (only secure ciphers) > > This server does not support Authenticated encryption (AEAD) cipher suites. > > https://www.ssllabs.com/ssltest/analyze.html?d=friendi.ca&s=217.197.80.132 It's only their homepage. Login is done on other servers. @cookiepanda1 did you contacted friendica?
👍 1
samuel-lucas6 commented 2021-07-05 09:28:57 +00:00 (Migrated from github.com)
Copy Link

@freddy-m I believe this issue can be closed.

@freddy-m I believe this issue can be closed.
👍 1
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
master
dependabot/bundler/nokogiri-1.13.6
dependabot/bundler/addressable-2.8.0
freddy-m-patch-3
pr-add_RemoveMyPhone_sponsor
pr-browser_cleanup_1257_1328_1430
freddy-m-patch-2
freddy-m-patch-1
pr-vpn_hated_one_video
cdn
update-nitrohorse-image
promote-metager-to-card
hardware
pr-add_azirevpn
pr-add_mailfence
shop
1673
pr/1658
i18n-simple
sponsorship-edits-nov2019
i18n
ipfs
blacklight447-ptio-patch-3
blog
remove-windows-icons
pr/1147
i18n-testing
add-beautify
Labels
Clear labels   
🔍🤖 Search Engines

   
approved

approved, waiting for a PR

  
dependencies

Pull requests that update a dependency file

  
duplicate

   
feedback wanted

   
high priority

   
I2P

The Invisible Internet Project (I2P)

  
iOS

   
low priority

   
OS

Operating Systems

  
Self-contained networks

   
Social media

   
stale

A label for stalebot if it gets added

  
streaming

Anything related to media streaming.

  
todo

   
Tor

Anything covering the Tor network

  
WIP

active work in progress, do not merge or PR (yet)!

  
wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

  
XMPP

Extensible Messaging and Presence Protocol

  
[m]

Matrix protocol

  
₿ cryptocurrency

   
ℹ️ help wanted

   
↔️ file sharing

   
⚙️ web extensions

Browser Extension related issues

  
enhancement

   
software removal

   
💬 discussion

   
🤖 Android

   
🐛 bug

   
💢 conflicting

   
📝 correction

Correction of content on the website

  
🆘 critical

   
📧 email

   
🔒 file encryption

   
📁 file storage

   
🦊 Firefox

Firefox & forks, about:config etc.

  
💻 hardware

   
🌐 hosting

   
🏠 housekeeping

Anything primarily related to site cleanup.

  
🔐 password managers

   
🧰 productivity tools

   
🔎 research required

   
🌐 Social News Aggregators

   
🆕 software suggestion

   
👥 team chat

   
🔒 VPN

Virtual Private Network

  
🌐 website issue

*Technical* issues with the website.

  
🚫 Windows

   
👁️ browsers

   
🖊️ digital notebooks

   
🗄️ DNS

Domain Name System

  
🗨️ instant messaging (im)

   
🇦🇶 translations

Anything covering a translated version of the site

No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
enhancement
software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#2355
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?