The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,842 other followers

Positive: Delphi 10.1 Berlin is out; negative all Embarcadero HTTPS sites still vulnerable to DROWN attack

Posted by jpluimers on 2016/04/19

The good news: Delphi 10.1 Berlin is out and released in Berlin (note: you might want to rename Delphi 10 Seattle into Delphi 10.0 Seattle).

Some links:

The not so good thing: I won’t be using it for a while as now for like 6 weeks or so, all the embarcadero HTTPS sites have been vulnerable to the DROWN man-in-the-middle attack that has been discovered 20160301.

Which means that even without going around the non-HTTPS partner site, I won’t be able to make a secure connection and install it.

Which gives me more time to play with the Xamarin Visual Studio 2015 integration, the cool stuff that MvvmCross offers and some of the other .NET Goodness at BUILD 2016 – .NET ALL THE THINGS! | Beth Massi

F (DROWN attack) members.embarcadero.com the logon site for regular users
No HTTPS at all tp.embarcadero.com the partner logon site for MVPs and TPs
F (DROWN attack) quality.embarcadero.com the site where to post bug reports and enhancement requests, replacing qc which had no https as all
F (DROWN attack) community.embarcadero.com the replacement of the forums server which like the original is down a lot of the time) which for a long time defaulted to http login at http://community.embarcadero.com/login hopefully it doesn’t do that any more).
F (DROWN attack) forums.embarcadero.com which has been revived after the old forums server was down more often than it was up
F (DROWN attack) edn.embarcadero.com the developers network server containing articles and information
F (DROWN attack) store.embarcadero.com buying products
F (DROWN attack) www.embarcadero.com the main site
 No TLS on main server;
Google Servers have weak cyphers
embarcadero.com the mail servers;via ssl-tools.net as SSL labs doesn’t support MX

–jeroen

Sources:

6 Responses to “Positive: Delphi 10.1 Berlin is out; negative all Embarcadero HTTPS sites still vulnerable to DROWN attack”

  1. […] Reference: Positive: Delphi 10.1 Berlin is out; negative all Embarcadero HTTPS sites still vulnerable to DROWN … […]

  2. Jeff Dyer said

    “Which means that even without going around the non-HTTPS partner site, I won’t be able to make a secure connection and install it.”

    Tin foil hat time?

    • jpluimers said

      I wish. After witnessing the aftermath of identity theft and the causes (broken https and plain credentials over http), I’ve become a lot stricter in what I do.

  3. Paul Dunn said

    That’s lovely and all, but have they fixed the 64bit codegen issues? Have they added 64bit OSX codegen?

    • jpluimers said

      I’ve no idea. I won’t be running it for a while for the security reasons I mentioned.

      • zxdunny said

        Looks like they’ve fixed our issues (64bit codegen) but still no OSX 64bit support. And besides, none of our sources will build in it so it’s back to D10/Seattle for the time being. Nice one, Emba.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: