Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

virtual.wf's HTTPS configuration needs updating #370

Open
konklone opened this issue Oct 12, 2014 · 4 comments
Open

virtual.wf's HTTPS configuration needs updating #370

konklone opened this issue Oct 12, 2014 · 4 comments

Comments

@konklone
Copy link

The server is currently vulnerable to Heartbleed, to an OpenSSL MITM vulnerability, and is using SHA-1-signed certificates.

The SSL Labs analysis lays out the issues:

virtualwf

This could also be a good time to tighten up the ciphers to favor forward secrecy, and to implement the HSTS header, so that browsers skip over the http:// URL entirely and don't wait for the redirect.

On that (side) note, the project uses an http:// URL in a couple places:

http-1

http-2

@eric79
Copy link
Member

eric79 commented Oct 14, 2014

@konklone thank you! You are quite thorough. 😄

How's this for a candidate for most-improved award?

sll-report

Heartbleed and other vulnerability mitigated, with new post-mitigation certificates signed with SHA-2. I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas?

We also now use the HSTS header so repeat visitors will not have to wait for the redirect, and I changed those references to http to https.

Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. 😄

@eric79
Copy link
Member

eric79 commented Oct 14, 2014

I think I will go ahead and close this issue, and if you have any thoughts on the RC4 issue, we can make that a new issue. Thanks again.

@eric79 eric79 closed this as completed Oct 14, 2014
@konklone
Copy link
Author

How's this for a candidate for most-improved award?

most-improved

I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas?

If you control the ciphersuites, I think you can do better - here's my cipher choices for konklone.com

That covers all the IEs, with a non-FS carveout for IE8+XP. It doesn't use RC4 anywhere.

One other thing you can do to bump up the key exchange strength is pre-generate 2048-bit DH parameters, so it's the same size as your key. Your version of Apache is defaulting to 1024-bit parameters, which keeps your key strength score at 80, and is why it shows 1024-bit marks here:

1024

If you upgrade Apache, version 2.4 defaults DH params to match key-length -- or if you keep 2.2, you can run openssl dhparam -outform pem -out dhparam2048.pem 2048, and then refer to that file in Apache using SSLDHParametersFile /path/to/dh2048.pem.

Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. 😄

My pleasure, thanks for being so responsive and putting the legwork in on this!

@eric79 eric79 reopened this Oct 16, 2014
@eric79
Copy link
Member

eric79 commented Oct 16, 2014

I'm reopening this issue, so I don't forget to address your other points.

... and thanks for the medal. 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants