thebestmotherfuckingwebsite icon indicating copy to clipboard operation
thebestmotherfuckingwebsite copied to clipboard

Published 20 hours ago verified publisher icon denysvitali

SSL grading sucks

Open denysvitali opened this issue 6 years ago • 3 comments

As per today's mail:

I just saw your motherfucking website which is really a nice way to show
how a website design can be very clean and simple.

I saw that you tried to reach perfection on the protocol side (HTTPS,
HTTP/2, Let's encrypt certificate...), but apparently there is room for
improvement

here is a few pointers:

https://internet.nl/domain/thebestmotherfucking.website/114718/ (49%)

in terms of certificate, the grade is quite good (although not perfect)
https://www.ssllabs.com/ssltest/analyze.html?d=thebestmotherfucking.website&hideResults=on (B)
https://tls.imirhil.fr/https/thebestmotherfucking.website (69/100)

I need to improve my SSL configuration, I'll adopt this which had a good rating in the overall (A+ IIRC)

denysvitali avatar Nov 06 '17 17:11 denysvitali

Seems good now. I'll leave this issue open for discussion. My current nginx config:

server
        {
                listen 443 ssl http2;
                listen [::]:443 ssl http2;
                expires $expires;
                server_name thebestmotherfucking.website www.thebestmotherfucking.website;
                ssl_certificate /etc/letsencrypt/live/thebestmotherfucking.website/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/thebestmotherfucking.website/privkey.pem;
                include snippets/gzip.conf;
                include snippets/ssl_best.conf;
                server_tokens off;
                location /
                {
                        autoindex on;
                        root "/srv/html/thebestmotherfuckingwebsite/dist/";
                        include "/etc/nginx/cors.conf";
                }
        }

# SSL CONFIG
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
#ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy "same-origin";

SSL Result

denysvitali avatar Nov 06 '17 22:11 denysvitali

Hi,

As for the SSL checking, here is the offline tools used: https://github.com/rbsec/sslscan/

and to enhance the checks reported by internet.nl website, here is what needs to be accomplished;

  • to have an IPv6 address for the web server
  • sign the domain name with DNSSEC
  • implement HSTS policy (HTTP Strict Transport Security)
  • secure the Diffie-Hellman/DH-1024 key exchange (see https://security.stackexchange.com/questions/5487/is-1024bit-diffie-hellman-key-exchange-secure and https://weakdh.org/ )
  • add a valid DANE record to the domain

Thanks a lot for your website

adren avatar Nov 07 '17 07:11 adren

Will do, thank you :)

denysvitali avatar Nov 07 '17 12:11 denysvitali

We're now on GH Pages and SSL grading is out of scope now

denysvitali avatar Jan 28 '24 13:01 denysvitali