Welcome Guest ( Log In | Register )

Reply to this topicStart new topic
> HTTP → HTTPS auto redirection
post Apr 14 2018, 08:39 AM
Post #1

Filthy Peasant

Group: Members
Posts: 2
Thank(s): 0
Points: 2
Joined: 31-March 18
Member No.: 5,386


I just saw this morning that you have a SSL certificate, which is good, but you have at least three problems with it:

1/ You have no 301 (permanent) redirections, which is bad because an user can forget to use HTTPS or even doesn't know why he should. Also, you get now better results for forcing HTTPS for Google (best ranking).

2/ When you use HTTPS version of the website, my web browser is complaining because some parts isn't under HTTPS, probably some URL or images.

3/ The smaller problem which is still one, you doesn't seems to say to your webserver to use the last CIPHER Suites: https://www.ssllabs.com/ssltest/analyze.htm...;hideResults=on

I know the website works but I just saw that this morning.

I heard you have some peoples in IT but if you need help (maybe they don't have times), you can ask me and I'll if I can.

Go to the top of the page
+Quote Post
post May 1 2018, 11:51 AM
Post #2

Security and Projects

Group: Clan Dogsbody
Posts: 4,576
Thank(s): 834
Points: 2,329
Joined: 31-August 07
From: A Magical Place, with toys in the million, all under one roof
Member No.: 1


sorry I have been a bit busy with work recently to reply smile.gif

There's a couple of reasons why https redirection hasn't been enforced yet, party because of insecure content on the page creating mixed mode.. such as the teamspeak status bit that shows who's on the server. It's something I've been meaning to get around to at some point tongue.gif

Fair point regarding the cipher suites, we've obviously got rid of SSLv3 covering poodle/heartbleed and the like. While TLS1.2 is obviously preferable, this should nudge me to get rid of TLS1.0 protocol support too. I'll drop most of the triple ciphers and 128bit ones soon once I've checked browser compatibility. As a lot of the vulnerabilities exist in an academic stance and are pretty difficult to get collisions off or break.

Will probably use this as the cipher suite:


and enable strict HSTS at some point when I sort all the mixed mode stuff out on the main page.

I notice from the link above that we've got a security rating of "B" - but this seems to be capped since we don't have perfect forward secrecy. The above changes to the cipher should fix that I think.

Might require some tweaking though tongue.gif


Go to the top of the page
+Quote Post

Reply to this topicStart new topic


RSS Lo-Fi Version Time is now: 10th July 2020 - 01:18 PM
Sneaky Monkeys Clan :: MonkeyFiend.com