Due mainly to the Heartbleed bug (and for the non-technical readers, here’s a newbie-friendly explanation, courtesy of xkcd), I’ve been tweaking some of the SSL settings on here. A quick list of changes:
- Naturally, OpenSSL has been patched against Heartbleed. I’m in the process of getting the site’s SSL certificate revoked and reissued.
- SSLv3 is now disabled, as it is considered insecure. (SSLv2 was disabled already.)
- The cipher suites have been altered to support forward secrecy (in most browsers; Internet Explorer running on Windows XP is the exception, but should be able to fall back to a lower protocol version). For the technically minded, here’s how to deploy it.
- The server now supports HTTP Strict Transport Security with long duration.
Happily, Qualys SSL Labs now gives this site an A+ rating. Probably overkill for a small, personal site such as this one, but it’s still nice to know.
The changes made shouldn’t have broken anything (touch wood), but if they have, please get hold of me so that I can fix things up.
(Incidentally, MyBroadband has a list of various South African sites where one would expect good security, and compiled their ratings by Qualys SSL Grade. Of concern are Standard Bank’s Internet banking servers scoring an F due to supporting insecure renegotiation; Standard Bank has yet to comment on the issue. A notable absent entry is SANRAL, as the site is inaccessible internationally and thus unable to be tested.)