Open ovari opened 5 years ago
1) Not sure DNS CAA really does anything, especially if you're using letsencrypt(we are) and do not use DNSSEC(we don't). I can't think of an attack it prevents. It's not used by mozilla.org, and it doesn't seem to be required for A+, which mozilla.org has. I do know that it's going to confuse me in the future when I try to use a third party service on a specific subdomain and they attempt to issue a cert using their own CA. I'm going to pass on this one.
2) (and 3) This is related to older browser support(WinXP, basically). This is probably the main reason we don't get A+, but these options are intentionally turned on for now. I want to do a push to get people to update from older versions of TB after 68 release, and so until then I'm going to leave these on. 2020 might be a good time to finally turn this off, given that's also the final 'browsers are removing support for these' time.
4) Agreed this should be on for www.thunderbird.net, start.thunderbird.net and autoconfig.thunderbird.net. Probably not the other domains for now. It's rather permanent when you do set it. Will implement.
It seems cloudflare has removed the ability to turn off sha1 support unless you have a business account.
We should probably get one of those eventually so that we can use our own SSL certs and get the other benefits, even though it's $200/mo, CloudFlare saves us a lot more than that so it's pretty reasonable.
Regardless, we don't want to do this until after 68 rollout.
https://www.ssllabs.com/ssltest/analyze.html?d=thunderbird.net
A
toA+
red
ororange
toblack
orgreen
Suggestions:
DNS CAA
FromNo (more info)
toYes
CAA Record Generator How to add a CAA record into a DNS zone file using BIND DNSCertificate #4: RSA 2048 bits (SHA1withRSA)
FromNo
toYes
Mozilla Apple Android Java Windows
Remove support for TLS 1.0 and TLS 1.1. Only support TLS 1.2 and TLS 1.3 (these are currently supported)
Enabling HTTP Strict Transport Security (HSTS) In the filename
.htaccess
which may be located/public_html/
(orroot
) addHeader set Strict-Transport-Security "max-age=31536000" env=HTTPS
What do you think?
Thank you