Check SSL setup

[drzax]

This is part of some feedback from @WPettersson.

It's currently got an A+ on SSL Labs.

Any other suggestions on changes we should be making?

[drzax]

There's also a weird thing happening inside at least one corporate network I know of where the site gets served a different security certificate (with a corporate root cert). Chrome says it's an invalid certificate, but it's still a bit gross.

[WPettersson]

Just to clear things up, I don't expect you to have problems here, but it might be worthwhile having some process to check this every week/month/6 months. It doesn't need to be automated, just every now and again some person checks SSL Labs to make sure that you still have an A+. The A+ might change due to new SSL weaknesses being discovered, or even just new cryptographic options being developed.

Also @drzax that is something you probably should highlight to end users. That sort of thing (where your site is shown with a corporate root certificate) means that the corporation has installed a device that allows snooping of web traffic, including HTTPS/SSL encrypted traffic. This, in general, is not illegal, and in often cases is a good security measure for the corporation to take. However, it's obviously not good to leaking info about anything over such a connection. Even if the corporation isn't the one being leaked about, it does mean that information about the leak is possible retained.

[drzax]

Do you think it would be worth attempting to automate checking of SSL setup against a tool like SSL Labs and notify on any changes?

[WPettersson]

It's fairly easy to do, they even have their own programs to do so, so probably worth it.