Hi,
I just saw this morning that you have a SSL certificate, which is good, but you have at least three problems with it:
1/ You have no 301 (permanent) redirections, which is bad because an user can forget to use HTTPS or even doesn't know why he should. Also, you get now better results for forcing HTTPS for Google (best ranking).
2/ When you use HTTPS version of the website, my web browser is complaining because some parts isn't under HTTPS, probably some URL or images.
3/ The smaller problem which is still one, you doesn't seems to say to your webserver to use the last CIPHER Suites: https://www.ssllabs.com/ssltest/analyze.htm...;hideResults=on
I know the website works but I just saw that this morning.
I heard you have some peoples in IT but if you need help (maybe they don't have times), you can ask me and I'll if I can.
koshie
Full Version: HTTP → HTTPS auto redirection
ey,
sorry I have been a bit busy with work recently to reply
There's a couple of reasons why https redirection hasn't been enforced yet, party because of insecure content on the page creating mixed mode.. such as the teamspeak status bit that shows who's on the server. It's something I've been meaning to get around to at some point
Fair point regarding the cipher suites, we've obviously got rid of SSLv3 covering poodle/heartbleed and the like. While TLS1.2 is obviously preferable, this should nudge me to get rid of TLS1.0 protocol support too. I'll drop most of the triple ciphers and 128bit ones soon once I've checked browser compatibility. As a lot of the vulnerabilities exist in an academic stance and are pretty difficult to get collisions off or break.
Will probably use this as the cipher suite:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES
256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES
:
RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
and enable strict HSTS at some point when I sort all the mixed mode stuff out on the main page.
I notice from the link above that we've got a security rating of "B" - but this seems to be capped since we don't have perfect forward secrecy. The above changes to the cipher should fix that I think.
Might require some tweaking though
sorry I have been a bit busy with work recently to reply
There's a couple of reasons why https redirection hasn't been enforced yet, party because of insecure content on the page creating mixed mode.. such as the teamspeak status bit that shows who's on the server. It's something I've been meaning to get around to at some point
Fair point regarding the cipher suites, we've obviously got rid of SSLv3 covering poodle/heartbleed and the like. While TLS1.2 is obviously preferable, this should nudge me to get rid of TLS1.0 protocol support too. I'll drop most of the triple ciphers and 128bit ones soon once I've checked browser compatibility. As a lot of the vulnerabilities exist in an academic stance and are pretty difficult to get collisions off or break.
Will probably use this as the cipher suite:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES
256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES
:
RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
and enable strict HSTS at some point when I sort all the mixed mode stuff out on the main page.
I notice from the link above that we've got a security rating of "B" - but this seems to be capped since we don't have perfect forward secrecy. The above changes to the cipher should fix that I think.
Might require some tweaking though
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.