search

virtual-world-framework / vwf

Virtual World Framework
https://virtual.wf
Other
142 stars 53 forks source link

virtual.wf's HTTPS configuration needs updating #370

Open konklone opened 10 years ago

konklone commented 10 years ago

The server is currently vulnerable to Heartbleed, to an OpenSSL MITM vulnerability, and is using SHA-1-signed certificates.

The SSL Labs analysis lays out the issues:

virtualwf

This could also be a good time to tighten up the ciphers to favor forward secrecy, and to implement the HSTS header, so that browsers skip over the http:// URL entirely and don't wait for the redirect.

On that (side) note, the project uses an http:// URL in a couple places:

http-1

http-2

eric79 commented 10 years ago

@konklone thank you! You are quite thorough. :smile:

How's this for a candidate for most-improved award?

sll-report

Heartbleed and other vulnerability mitigated, with new post-mitigation certificates signed with SHA-2. I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas?

We also now use the HSTS header so repeat visitors will not have to wait for the redirect, and I changed those references to http to https.

Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. :smile:

eric79 commented 10 years ago

I think I will go ahead and close this issue, and if you have any thoughts on the RC4 issue, we can make that a new issue. Thanks again.

konklone commented 10 years ago

How's this for a candidate for most-improved award?

most-improved

I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas?

If you control the ciphersuites, I think you can do better - here's my cipher choices for konklone.com

That covers all the IEs, with a non-FS carveout for IE8+XP. It doesn't use RC4 anywhere.

One other thing you can do to bump up the key exchange strength is pre-generate 2048-bit DH parameters, so it's the same size as your key. Your version of Apache is defaulting to 1024-bit parameters, which keeps your key strength score at 80, and is why it shows 1024-bit marks here:

1024

If you upgrade Apache, version 2.4 defaults DH params to match key-length -- or if you keep 2.2, you can run openssl dhparam -outform pem -out dhparam2048.pem 2048, and then refer to that file in Apache using SSLDHParametersFile /path/to/dh2048.pem.

Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. :smile:

My pleasure, thanks for being so responsive and putting the legwork in on this!

eric79 commented 10 years ago

I'm reopening this issue, so I don't forget to address your other points.

... and thanks for the medal. :wink: