New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yes you can use self-signed/etc (Still needs a certificate I would think, otherwise client won't know what key to encrypt to), but visitors tend to freak out when it's not a "trust" cert from a root authority (as evident in the thread)
Because of the SSL bug in SolusVM a while back. Not sure if it's fixed or not though. All WebKit based browsers would experience random timeouts because of how WebKit and Lighttpd communicated. For at least 6 months, clients were required to either use a non-WebKit browser or use a non-SSL port. We had some clients that refused to use anything other than Chrome/Chromium so for those users their only option was to use a non-SSL port.
@KuJoe - SolusVM can be used now with Nginx. I don't know why SolusLabs doesn't make it the default instead of Lighttpd.
PS: all major browsers support TLS, but not all support TLS 1.1+ (For example Safari 6 only seems works at TLS 1.0, but not 1.1/1.2)
So even though you might get a higher score disabling TLS 1.0 and 1.1, you knock out some browsers from connecting. (oddly IE9 supports 1.1/1.2 but I don't think Firefox does yet).
PS: While we're on the topic of SSL and Security, I thought I'd satify my curiosity and test the SSL of a product most of us are using...
https://www.ssllabs.com/ssltest/analyze.html?d=whmcs.com&s=184.94.192.3
https://www.ssllabs.com/ssltest/analyze.html?d=whmcs.com&s=208.74.120.227
Beast Vunerable, SSL 2.0 turned on, weak preferred ciphers, oh ... and NOT PCI complaint (considering they're storing credit card numbers...)
That's funny, since cPanel partners with them and you can basically flip a switch to better security...
Though HostbillApp doesn't seem much better.
https://www.ssllabs.com/ssltest/analyze.html?d=hostbillapp.com
also scored a 52 and is vulnerable to BOTH beast and crime attacks, as well as also not being PCI compliant.
(kind of sad considering my setup on nginx scored 85 without me even trying... and 91 with me trying to balance security with compatibility)
TLS 1.0 (when mitigating BEAST), TLS 1.1 & TLS 1.2 support seems to be the best combination atm and works on all browsers. There's no need for SSL 3.0 anymore (and please kill SLL 2.0 with fire and repeatedly shoot it in the face with a bazooka).
And @kbeezie, it's nice that you use Strict Transport Security for ionVz.com, but max-age=256 is not very effective, it should be longer than a month, 6 months or a year are even better.
I can't seem to get higher than 94 on the SSL Test without disabling TLS 1.0 & TLS 1.1. But I'm still happy with 94
https://www.ssllabs.com/ssltest/analyze.html?d=my.loomhosts.com
I scored 88 but proned to 2 attacks :c
Disable compression and use RC4-ciphers instead of CBC-ciphers. And you too have a Strict Transport Security max-age value that is way too low.
My nginx configuration:
Ah, okay.
Yea I was thinking the same, I did that see if it would score any differently, but I forgot to set it back.
And yes 91-94 seems to be about the best without losing compatibility to some newer browsers, namely webkit/etc. Seems like as long as you score 'A' without being vulnerable to BEAST/CRIME should be ok.
My Nginx config is almost identical to yours with the exception of choosing a couple strong ciphers for 1.1/1.2 (which are not CBC), followed by RC4 for compatibility/security for TLS1.0.
Are you people serious jerking off to trying to achieve a higher score on some SSL testing site?
Um.... yes.
^_^
As long as we all remember that convenience and security are often two opposite sides of a scale and adjust accordingly, encouraging each other to improve security is a no lose scenario.
It's great fun. It's like a game.