HTTP → HTTPS auto redirection |
HTTP → HTTPS auto redirection |
Apr 14 2018, 08:39 AM
Post
#1
|
|
Filthy Peasant Group: Members Posts: 2 Thank(s): 0 Points: 2 Joined: 31-March 18 Member No.: 5,386 |
Hi,
I just saw this morning that you have a SSL certificate, which is good, but you have at least three problems with it: 1/ You have no 301 (permanent) redirections, which is bad because an user can forget to use HTTPS or even doesn't know why he should. Also, you get now better results for forcing HTTPS for Google (best ranking). 2/ When you use HTTPS version of the website, my web browser is complaining because some parts isn't under HTTPS, probably some URL or images. 3/ The smaller problem which is still one, you doesn't seems to say to your webserver to use the last CIPHER Suites: https://www.ssllabs.com/ssltest/analyze.htm...;hideResults=on I know the website works but I just saw that this morning. I heard you have some peoples in IT but if you need help (maybe they don't have times), you can ask me and I'll if I can. koshie |
|
|
May 1 2018, 11:51 AM
Post
#2
|
|
Security and Projects Group: Clan Dogsbody Posts: 4,687 Thank(s): 1098 Points: 2,440 Joined: 31-August 07 From: A Magical Place, with toys in the million, all under one roof Member No.: 1 |
ey,
sorry I have been a bit busy with work recently to reply There's a couple of reasons why https redirection hasn't been enforced yet, party because of insecure content on the page creating mixed mode.. such as the teamspeak status bit that shows who's on the server. It's something I've been meaning to get around to at some point Fair point regarding the cipher suites, we've obviously got rid of SSLv3 covering poodle/heartbleed and the like. While TLS1.2 is obviously preferable, this should nudge me to get rid of TLS1.0 protocol support too. I'll drop most of the triple ciphers and 128bit ones soon once I've checked browser compatibility. As a lot of the vulnerabilities exist in an academic stance and are pretty difficult to get collisions off or break. Will probably use this as the cipher suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES 256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES : RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS and enable strict HSTS at some point when I sort all the mixed mode stuff out on the main page. I notice from the link above that we've got a security rating of "B" - but this seems to be capped since we don't have perfect forward secrecy. The above changes to the cipher should fix that I think. Might require some tweaking though -------------------- |
|
|
Lo-Fi Version | Time is now: 23rd November 2024 - 06:32 PM |