It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionGoG using weak cipher/key exchange combo for HTTPS/SSL(22 posts)(22 posts)
(22 posts)
Pages:
1
2
This is my favourite topic
Posted October 15, 2016
Since we are on the topic of security with 2 factor auth (I just got the email), I noticed GoG is using a weak cipher and key exchange combo. (no forward secrecy, SHA1 signature etc.).

Would be nice if someone could take a look at it. I noticed becase I disabled all weak ciphers in Firefox and Firefox refused to load GoG.

Thanks.
Post edited October 15, 2016 by Devrim
No posts in this topic were marked as the solution yet. If you can help, add your reply
Posted October 15, 2016
low rated
Ok. Now try again, in English.
Posted October 15, 2016
avatar
Breja: Ok. Now try again, in English.
It probably makes sense if you understand tech speak, which, apparently, neither of us do.
Posted October 15, 2016
avatar
Breja: Ok. Now try again, in English.
Why would you bother to respond if you don't know what it is about? It is a serious topic with a legit question.
Posted October 15, 2016
avatar
Breja: Ok. Now try again, in English.
avatar
Devrim: Why would you bother to respond if you don't know what it is about? It is a serious topic with a legit question.
Because I thought maybe you would be kind enough to to try to explain that serious topic in terms that everyone can understand. Crazy, I know.
Posted October 15, 2016
avatar
Devrim: Why would you bother to respond if you don't know what it is about? It is a serious topic with a legit question.
avatar
Breja: Because I thought maybe you would be kind enough to to try to explain that serious topic in terms that everyone can understand. Crazy, I know.
What the heck's gotten into you? It probably CAN be understood if you knew the tech lingo. That's like going into a thread about networks and bashing the OP because he doesn't explain networks for people who haven't had experience in them.


Edit: Ok, so maybe you're not necessarily bashing the OP, but you are coming off as slightly snarky/hostile. You seem to be acting this a lot lately, which kind of concerns me, as it's not how I remember you.
Post edited October 15, 2016 by zeogold
Posted October 15, 2016
avatar
Devrim: Why would you bother to respond if you don't know what it is about? It is a serious topic with a legit question.
avatar
Breja: Because I thought maybe you would be kind enough to to try to explain that serious topic in terms that everyone can understand. Crazy, I know.
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
https://blog.qualys.com/ssllabs/2013/06/25/ssl-labs-deploying-forward-secrecy


This should cover the most problematic points for GoG HTTPS setup.
Post edited October 15, 2016 by Devrim
Posted October 15, 2016
low rated
avatar
zeogold: What the heck's gotten into you? It probably CAN be understood if you knew the tech lingo. That's like going into a thread about networks and bashing the OP because he doesn't explain networks for people who haven't had experience in them.

Edit: Ok, so maybe you're not necessarily bashing the OP, but you are coming off as slightly snarky/hostile. You seem to be acting this a lot lately, which kind of concerns me, as it's not how I remember you.
If I got a little snarky it's because I found the OP's response to be exactly that. I think it would be proper, when starting a thread like that, to explain what it's about - it concerns us all apparently. And I don't mean getting into technical details, just explaining what that practically means for the users.
Posted October 15, 2016
avatar
Devrim: GoG is using a weak cipher and key exchange combo
So that SHA256withRSA signature on Cert #1 the only one that matters for auth is more than good enough, and is the gold standard..

Yout tool thingy is seeing the 3rd cert in the chain from Baltimore CyberTrust ROOT its a SHA1withRSA this is a "trust store" cert and means diddly in the grand scheme.. but yes it looks bad, nothing to worry about..

1 Sent by server *.gog.com
Fingerprint SHA1: aa42bfea6967fa727349096eb8efad21fc577d82
Pin SHA256: tooPWKkkRO7h2Kcy9jtkTHzBoD0N7iJ03S1vVFqfkjw=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Verizon Akamai SureServer CA G14-SHA2
Fingerprint SHA1: 6ad2b04e2196e48bf685752890e811cd2ed60606
Pin SHA256: 8XFPrRr4VxmEIYKUu35QtR3oGbduX1AlrBzaBUHgp7c=
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store Baltimore CyberTrust Root Self-signed
Fingerprint SHA1: d4de20d05e66fc53fe1a50882c78db2852cae474
Pin SHA256: Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
they keep it because they wanna stay compatible with older stuff...

Fun fact while investigating this i found out gog.com cannot work on IE6/XP or APPLE ATS 9/iOS9

all in all gog.com is superduper safe IMO ^_^

If you want a quick and dirty test to suck out information hit up SSL Labs web tool.
Post edited October 16, 2016 by Starkrun
Posted October 16, 2016
avatar
Devrim: GoG is using a weak cipher and key exchange combo
avatar
Starkrun: So that SHA256withRSA signature on Cert #1 the only one that matters for auth is more than good enough, and is the gold standard..

Yout tool thingy is seeing the 3rd cert in the chain from Baltimore CyberTrust ROOT its a SHA1withRSA this is a "trust store" cert and means diddly in the grand scheme.. but yes it looks bad, nothing to worry about..

1 Sent by server *.gog.com
Fingerprint SHA1: aa42bfea6967fa727349096eb8efad21fc577d82
Pin SHA256: tooPWKkkRO7h2Kcy9jtkTHzBoD0N7iJ03S1vVFqfkjw=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Verizon Akamai SureServer CA G14-SHA2
Fingerprint SHA1: 6ad2b04e2196e48bf685752890e811cd2ed60606
Pin SHA256: 8XFPrRr4VxmEIYKUu35QtR3oGbduX1AlrBzaBUHgp7c=
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store Baltimore CyberTrust Root Self-signed
Fingerprint SHA1: d4de20d05e66fc53fe1a50882c78db2852cae474
Pin SHA256: Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
avatar
Starkrun: they keep it because they wanna stay compatible with older stuff...

Fun fact while investigating this i found out gog.com cannot work on IE6/XP or APPLE ATS 9/iOS9

all in all gog.com is superduper safe IMO ^_^

If you want a quick and dirty test to suck out information hit up SSL Labs web tool. It'll provide a grade on the site and reasons for demotion of grade level and also a recomendatio list to strengthen the site if needed. GOG.com scored an A- because they dont support Forward Secrecy with the reference browsers
Yeah using SHA1 should (in theory) help users on Win XP SP2 and older and Android 2.3(?) and older but for some reason disabling the weak ciphers makes Firefox not load the GoG site.

All other gaming platforms (Steam/Origin/Uplay/PSN/Xbox) seem to be working fine.

e: Chromium also complains about obsolete cipher and key exchange btw. I wouldn't be surprised if all major browser developer will block certs with SHA-1 signatures.
Post edited October 16, 2016 by Devrim
Posted October 16, 2016
avatar
Breja: If I got a little snarky it's because I found the OP's response to be exactly that. I think it would be proper, when starting a thread like that, to explain what it's about - it concerns us all apparently. And I don't mean getting into technical details, just explaining what that practically means for the users.
He was right in his response to you because of your first response. You could have simply said "I don't quite understand, could you please explain it in simpler terms?" or something similar.
I don't see you doing the same thing with other (albeit more active) tech-savvy people on the forum.
Posted October 16, 2016
low rated
avatar
Breja: If I got a little snarky it's because I found the OP's response to be exactly that. I think it would be proper, when starting a thread like that, to explain what it's about - it concerns us all apparently. And I don't mean getting into technical details, just explaining what that practically means for the users.
avatar
zeogold: He was right in his response to you because of your first response. You could have simply said "I don't quite understand, could you please explain it in simpler terms?" or something similar.
I don't see you doing the same thing with other (albeit more active) tech-savvy people on the forum.
Jesus, I just asked the question in joke form. I pretty much always say things in a humorous manner around here, either that or some movie reference :P Aren't you the wet blanket on a stick in a mud today.
Posted October 16, 2016
avatar
zeogold: He was right in his response to you because of your first response. You could have simply said "I don't quite understand, could you please explain it in simpler terms?" or something similar.
I don't see you doing the same thing with other (albeit more active) tech-savvy people on the forum.
avatar
Breja: Jesus, I just asked the question in joke form. I pretty much always say things in a humorous manner around here, either that or some movie reference :P Aren't you the wet blanket on a stick in a mud today.
Ah, so it was a joke. My mistake, I assumed it was some sort of bitter complaint at first.

Never mind, everything's good here. Let's just pretend we were talking about cereal.
Personally, I think Frosted Flakes are overrated.
Posted October 16, 2016
avatar
Breja:
avatar
zeogold: Personally, I think Frosted Flakes are overrated.
Attachments:
a.jpg (40 Kb)
Posted October 16, 2016
avatar
tinyE:
Hey, they're good stuff, they just tend to be TOO sweet. You need the dairy of the milk to cut the sugar, and by the time you get to that point, the milk is already oversweetened as well. You could theoretically add more milk, but then the whole thing gets soggy. Only reasonable solution is to mix it with regular Corn Flakes.
Of course, this entire problem COULD likely be eliminated if I could refrain from eating about 4 servings for every bowl I have, but still.
Pages:
1
2
This is my favourite topic
Community
General discussionGoG using weak cipher/key exchange combo for HTTPS/SSL(22 posts)(22 posts)
(22 posts)