On Sat, Oct 12, 2013 at 1:03 PM, Royce Williams <royce@tycho.org> wrote:
> On Sat, Oct 12, 2013 at 10:02 AM, Tom Simes <simestd@netexpress.com>
wrote:
>
> [snip]
>
>> The take away is if privacy is important, you need to be using perfect
>> forward secrecy and the best current implementation is via
>> Diffie-Hellman. OpenSSL can implement this now, but it's not default.
>
> What Tom said. Here's a great way to check the health and de-facto
> negotiated browser cipher sets for your web OpenSSL setup:
>
> https://www.ssllabs.com/ssltest/
>
> Be sure to check the "Do not show the results on the boards" checkbox
> if you don't want your test to show up in the lists.
I thought I'd elaborate a bit here.
First, the gold standard (but don't try this at home; Google has in-house
customization of OpenSSL to get this level of security:
A:
https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=173.194.46.0
And some results of local interest (I flipped through the State's list of
top employers and picked some with Alaska-specific web servers:
A: https://www.ssllabs.com/ssltest/analyze.html?d=my.alaska.gov
A: https://www.ssllabs.com/ssltest/analyze.html?d=alaskaair.com
F: https://www.ssllabs.com/ssltest/analyze.html?d=anthc.org
A:
https://www.ssllabs.com/ssltest/analyze.html?d=www.alaskausa.org&s=208.69.197.106
A: https://www.ssllabs.com/ssltest/analyze.html?d=alpca.org ;-)
F: https://www.ssllabs.com/ssltest/analyze.html?d=attalascom.com
B: https://www.ssllabs.com/ssltest/analyze.html?d=corp.att.com
A: https://www.ssllabs.com/ssltest/analyze.html?d=cu1.org
B: https://www.ssllabs.com/ssltest/analyze.html?d=fnbalaska.com
A: https://www.ssllabs.com/ssltest/analyze.html?d=mtasolutions.com
F: https://www.ssllabs.com/ssltest/analyze.html?d=muni.org
A: https://www.ssllabs.com/ssltest/analyze.html?d=northrim.com
A: https://www.ssllabs.com/ssltest/analyze.html?d=premera.com
A: https://www.ssllabs.com/ssltest/analyze.html?d=searhc.org
F: https://www.ssllabs.com/ssltest/analyze.html?d=southcentralfoundation.com
F: https://www.ssllabs.com/ssltest/analyze.html?d=csiweb.thealaskaclub.com
Things to look for:
- You get an automatic F if:
- You support insecure renegotiaton.
- You support SSLv2, which is permaborked.
- Whether any weak cipher suites or protocols are enabled.
- Handshake simulation, especially if any fail, or whether or not "FS" or
"No FS" is listed after each item.
- Servers may enable RC4 in order to mitigate BEAST, so you'll often see
them mutually exclusive.
If you're not running OpenSSL 1.0.1 (maybe 1.0.1e?), you should be. If
your OS has multiple dependencies on OpenSSL, upgrading it in place can be
painful, and you're better off installing a local instance (/usr/local/ or
something) and recompiling Apache and kin to use it instead. Or upgrade
your OS to a version that includes OpenSSL 1.0.1e.
More info on fixing any and all of the above:
https://www.ssllabs.com/projects/best-practices/index.html
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Oct 12 13:44:25 2013
This archive was generated by hypermail 2.1.8 : Sat Oct 12 2013 - 13:44:25 AKDT