đž Archived View for chirale.org âş 2018-02-13_4174.gmi captured on 2024-07-08 at 23:35:22. Gemini links have been rewritten to link to archived content
âŹ ď¸ Previous capture (2024-05-12)
-=-=-=-=-=-=-
HTTPS is a great improvement to a website security. However, HTTPS comes in different flavours and among these there are very weak ones.
Among protocols, SSL have to be avoided because it is not secure. Its successor, TLS, comes in different versions and supports different ciphers. To be short, the cipher is the encryption method/algorihms the website and the client use to talk each other.
The combination of protocols and ciphers available to implement HTTPS will limits the type of clients capable to access the website.
To be sure your website will not lose traffic, you have to balance the strongest ciphers available with the most compatible but still secure, dropping all weaker ciphers.
If youâve already implemented HTTPS on your website, first youâve to check ist current security status of protocols and ciphers.
Check your hostname on Qualys SSL Labs pasting the HTTPS protected domain on the Test your server section. Itâs a fast method with a very detailed output for public websites.
The report will give your hostname a rank, a detailed list of issues, browser support, and the complete list of supported ciphers. Among these ciphers, you can get some ciphers highlighted in yellow. You have to get the rid of these no matter what.
The list of ciphers actually differs from a typical cipher declaration on nginx because nginx can use the OpenSSL naming and Qualys uses IANA naming.
Hereâs an helpful conversion table by Mozilla where you can convert IANA to OpenSSL and the other way round. Take note of the weak ciphers but wait before start to cut your cipher declaration on nginx.
helpful conversion table by Mozilla
Youâve to check how many visitors youâll lose after the cut first.
Using Google Analytics or similar services and software, go to the Audience \> Technology \> Browser to get a list of your visitorsâ browsers. Select a timespan like the last year or less.
Audience \> Technology \> Browser
You can add Browser version or OS version as secondary dimension to match the list of supported browsers from SSL Labs. Youâll get something similar:
Well, someone is still using Internet Explorer 0 in
Since Internet Explorer running on old Windows versions (like XP) is one of the most troublesome combination, check how many visitors use this legacy software.
On Google Analytics type on the search box âInternet Explorerâ and youâll get the browser usage of this legacy browser. Select OS version as secondary dimension to get a list of OSes using IE.
Compare this list with the report from SSL Labs and with the conversion table from Mozilla cited above and count the number of visitors you want to cut off from your website in the sake of security.
Trimming down the ciphers declaration on nginx conf youâll get something like this:
ssl_ciphers âECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DESâ;
Each cipher is separated by a â:â and at the end some elements (typically using OpenSSL naming) are forbidden with a â!â.
Hereâs the context:
server { # the port your site will be served on listen 443 ssl; # the domain name it will serve for # substitute your machine's IP address or FQDN server_name example.com www.example.com; ssl_certificate /path/to/fullchain.pem; ssl_certificate_key /path/to/privkey.pem; ssl_protocols TLSv1 TLSv1 TLSv2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; # cfr. ........................................ ssl_ciphers all.sh django2gmi.sh processing README.md wp2gmi.sh PASTE CIPHERS HERE **; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000; charset utf-8; # This is for Let's Encrypt location ^~ /.well-known { alias /path/to/.well-known; allow all; } # max upload size client_max_body_size 75M; # adjust to taste location /webpath { alias /path/to/web; } }
Change the conf file, reload nginx (on CentOS 7 systemctl reload nginx) and then re-run the SSL Labs test.
The Qualysâ tool will show you the new incompatibility with legacy browsers in the Handshake Simulation section:
Modern protocols and ciphers implemented using the above declaration on nginx cut off IE 8 on XP and IE 6, the report explain.
According to the technology used by visitors of the analyzed website, few visits are sacrificed for better security for both visitors and host.
Tune these settings according to your needs, keep monitoring the tecnology used by site visitors and dropping legacy system progressively, with Modern compatibility as a (not so) long term objective.
https://web.archive.org/web/20180213000000*/https://tools.ietf.org/html/rfc7568
https://web.archive.org/web/20180213000000*/https://www.ssllabs.com/
