One of the things I do when examining a website is to run it through Qualys’s SSL Labs Server Test. It does not provide a ‘security’ score per-se, but can be a good first step in making sure sessions are end-to-end encrypted between your users & your website.
As of 5:23PM on 28 Dec 2018 I have an A:
How did I achieve this score?
- Disabled old / weak SSL / TLS protocols
- Enabled CAA policy
Here’s the relevant httpd.conf lines:
<...>
Listen 443
#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol TLSv1.2
And for CAA, I followed the guide here.
Why are these items important?
- TLS v1.1 and greater have known vulnerabilities, so it’s important to disallow them and prevent eavesdropping
- As for CAA, I originally thought this was to prevent man-in-the-middle (MitM) attacks, but reading the RFC says otherwise:
The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.
Digging a bit deeper, it appears the CAA RFC supports something interesting called IODEF. So of course, I had to see if I could activate it.
That’s something I’ll be testing in a future post.
Update: I’m now at A+:
How? I looked at other sites that were receiving A+ ratings and didn’t find many differences – key exchange was the same (rsa 2048) and they had ciphers that were 128 bits as well (similar to my site). HSTS was the big difference, and so I added this to my httpd.conf under the :443 virtual server:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
security without obscurity 