*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
In the light of recent revelations about Prism/NSA/GCHQ etc, it is more important than ever to keep SSL secure. But... as far as I can tell, there exists no combination of SSL cIphers that satisfies all of: * Resistant to the BEAST attack * Has Perfect Forward Secrecy * Is in Apache 2.2 [I'm testing with: https://www.ssllabs.com/ssltest/analyze.html ] The only solution seems to be to deploy Apache 2.4 (or backport the ECDHE ciphers into the 2.2 package). Can I suggest therefore that the lack of Apache 2.4 packages represents a serious security vulnerability to people visiting websites hosted on Ubuntu. This affects every currently released Ubuntu distro (including raring). There is still no pacakge of apache 2.4, nor is there a backport of the ECDHE feature. There are some PPAs of 2.4, but these aren't maintained with security updates, nor do they support mod_php. ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- apache2.2 SSL has no forward-secrecy: need ECDHE keys https://bugs.launchpad.net/bugs/1197884 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
