IPB





Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> HTTP → HTTPS auto redirection
koshie
post Apr 14 2018, 08:39 AM
Post #1


Filthy Peasant


Group: Members
Posts: 2
Thank(s): 0
Points: 2
Joined: 31-March 18
Member No.: 5,386




Hi,

I just saw this morning that you have a SSL certificate, which is good, but you have at least three problems with it:

1/ You have no 301 (permanent) redirections, which is bad because an user can forget to use HTTPS or even doesn't know why he should. Also, you get now better results for forcing HTTPS for Google (best ranking).

2/ When you use HTTPS version of the website, my web browser is complaining because some parts isn't under HTTPS, probably some URL or images.

3/ The smaller problem which is still one, you doesn't seems to say to your webserver to use the last CIPHER Suites: https://www.ssllabs.com/ssltest/analyze.htm...;hideResults=on

I know the website works but I just saw that this morning.

I heard you have some peoples in IT but if you need help (maybe they don't have times), you can ask me and I'll if I can.

koshie
Go to the top of the page
 
+Quote Post
MonkeyFiend
post May 1 2018, 11:51 AM
Post #2


Security and Projects
**********

Group: Clan Dogsbody
Posts: 4,686
Thank(s): 1096
Points: 2,439
Joined: 31-August 07
From: A Magical Place, with toys in the million, all under one roof
Member No.: 1




ey,

sorry I have been a bit busy with work recently to reply smile.gif

There's a couple of reasons why https redirection hasn't been enforced yet, party because of insecure content on the page creating mixed mode.. such as the teamspeak status bit that shows who's on the server. It's something I've been meaning to get around to at some point tongue.gif

Fair point regarding the cipher suites, we've obviously got rid of SSLv3 covering poodle/heartbleed and the like. While TLS1.2 is obviously preferable, this should nudge me to get rid of TLS1.0 protocol support too. I'll drop most of the triple ciphers and 128bit ones soon once I've checked browser compatibility. As a lot of the vulnerabilities exist in an academic stance and are pretty difficult to get collisions off or break.

Will probably use this as the cipher suite:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES
256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES
:
RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

and enable strict HSTS at some point when I sort all the mixed mode stuff out on the main page.

I notice from the link above that we've got a security rating of "B" - but this seems to be capped since we don't have perfect forward secrecy. The above changes to the cipher should fix that I think.

Might require some tweaking though tongue.gif


--------------------

Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



RSS Lo-Fi Version Time is now: 29th March 2024 - 08:26 AM
Sneaky Monkeys Clan :: MonkeyFiend.com