7

Steps to reproduce:
sslscan kagi.com

Expected behavior:
Only having secure TLS settings, i.e., only allowing TLS 1.2+1.3 and disabling insecure cipher suites.
Downgrade attacks may allow MitM attacks with these settings.
The idea is that if these insecure settings are possible, a man in the middle could potentially force both sides to use insecure settings and then break the crypto.

This should be hardened IMO even if some outdated clients stop working. They should update regardless.

  • Vlad replied to this.
    feedbackhax changed the title to Improve TLS Config .

      feedbackhax There is a part of me that wants Kagi to work on my iMac G4 from 2003. Timeless computing should be a thing.

          Vlad While I also agree with this in concept, the reality is your iMac G3 will be unable to browse any modern website thanks to ECMAScript 2015, TLS, new root CAs, and not enough memory. Even my 2011 iPhone 4 cannot load any pages any more without the use of a proxy. That proxy is https://github.com/atauenis/webone and it solves all the things I just mentioned. I am speaking from experience when I lost my phone and had to get by with the iPhone 4 for a couple of days.

          Even if Kagi worked over insecure HTTP with no CSS or JS, and even if my iPhone 4 could set Kagi as the default search engine (it can't), none of the search results Kagi presents would load, making Kagi not very helpful on its own. Using a proxy is mandatory anyway.

          So it's best to use reasonable security defaults. People who like old computers can let the proxy do the work. 👌

              Recast Not disagreeing - but the search results would load. These machines can run fairly modern browsers. And Kagi does not even require JavaScript enabled to render results.

                  a month later
                  7 months later
                  No one is typing