Greetings,
I obtained a RapidSSL certificate for my Xojo Cloud site, and installed same with minimal trouble.
Thank you to Xojo for making this stuff easier.
However RapidSSL have a security checker built into their pages, and when I run it on the Xojo CLoud site, it advises me I am vulnerable to several attacks.
*RC4
*SSLv3
*Poodle
*BEAST
Is this my issue (i.e. something about the web apps I have deployed to my Xojo Cloud) ? or a Xojo issue ?
Regards,
Tony Barry
Sydney
It sounds like your SSL certificate may not have gotten correctly installed. I’d contact support directly for help: http://www.xojo.com/support/technical.php
Thank you Travis. I have sent in a support ticket.
The site does connect securely when tested by a browser (e.g. Safari) and the RapidSSL check tool says the cert is installed correctly.
Regards,
Tony Barry
Sydney
Servers and clients negotiate a set of ciphers from their known lists. The cipher has nothing to do with the certificate used. The service terminating the SSL connection has old ciphers available.
It’s not the end of the World. It just means that potentially someone using an older browser and older cipher may be exchanging data with you. Anyone in the middle between client/server could potentially read the data being exchanged since the cipher is weak. The likelihood of that actually happening is pretty low but you never know.
Thank you Phillip for your thoughts. Yes the chances of being Man In The Middled is low, and my traffic is not going to be NSA grade spy talk 
but it’s nice to have a taut ship with no leaks.
The main question is whether there is something I can do to fix this, or if this is part of the Xojo world (e.g. so that hobbyist sites do not need to be concerned with stuff that does not bother them). Ideally, web security would be a one stop shop (i.e. always secure and that’s the end of it) but I appreciate that there are competing interests here. Brian Krebs would likely disagree
Regards,
Tony Barry
Sydney
Like I said the certificate has nothing to do with the ciphers used. If it did you would have had to select the ciphers you wanted when you generated it.
Indeed. The certificate does not check anything. It merely offers a way to confirm that the website has some (distant, tenuous) relationship with the certifying authority.
It is the RapidSSL check tool (a web based tool) which offers the opinion that my site is vulnerable e.g. to SSLv3.
I suspect that the tool works under the hood by pinging the site with requests for SSLv3 traffic, and if the site responds in the affirmative, then the tool says “FAIL”. Now I do not know this - it is a guess of mine.
The question I have is whether this is my code or Xojo’s world which controls this response.
Regards,
Tony Barry
Sydney
You are right on the money. When an SSL message is started the client and server negotiate by exchanging ciphers. The tool is letting you know that the server will accept older/inferior ciphers. It will also accept newer/better ciphers so most browsers will use the good ciphers. It would take an old browser or an old HTTPSocket or something similar to utilize one of those old ciphers.
It’s not a big deal but should be corrected. It’s not your code - Xojo will need to tweak the settings of the SSL terminator.
Thank you Phillip - much appreciated.
Regards,
Tony Barry
Sydney
Tony, it would be best if you create a ticket on feedback and submit the information there so it can be tracked and implemented, if it has not been done so already.
Thank you Julian, a ticket has been submitted.
Regards,
Tony Barry
Sydney