thebestmotherfuckingwebsite
thebestmotherfuckingwebsite copied to clipboard
SSL grading sucks
As per today's mail:
I just saw your motherfucking website which is really a nice way to show
how a website design can be very clean and simple.
I saw that you tried to reach perfection on the protocol side (HTTPS,
HTTP/2, Let's encrypt certificate...), but apparently there is room for
improvement
here is a few pointers:
https://internet.nl/domain/thebestmotherfucking.website/114718/ (49%)
in terms of certificate, the grade is quite good (although not perfect)
https://www.ssllabs.com/ssltest/analyze.html?d=thebestmotherfucking.website&hideResults=on (B)
https://tls.imirhil.fr/https/thebestmotherfucking.website (69/100)
I need to improve my SSL configuration, I'll adopt this which had a good rating in the overall (A+ IIRC)
Seems good now. I'll leave this issue open for discussion. My current nginx config:
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
expires $expires;
server_name thebestmotherfucking.website www.thebestmotherfucking.website;
ssl_certificate /etc/letsencrypt/live/thebestmotherfucking.website/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/thebestmotherfucking.website/privkey.pem;
include snippets/gzip.conf;
include snippets/ssl_best.conf;
server_tokens off;
location /
{
autoindex on;
root "/srv/html/thebestmotherfuckingwebsite/dist/";
include "/etc/nginx/cors.conf";
}
}
# SSL CONFIG
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
#ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy "same-origin";
Hi,
As for the SSL checking, here is the offline tools used: https://github.com/rbsec/sslscan/
and to enhance the checks reported by internet.nl website, here is what needs to be accomplished;
- to have an IPv6 address for the web server
- sign the domain name with DNSSEC
- implement HSTS policy (HTTP Strict Transport Security)
- secure the Diffie-Hellman/DH-1024 key exchange (see https://security.stackexchange.com/questions/5487/is-1024bit-diffie-hellman-key-exchange-secure and https://weakdh.org/ )
- add a valid DANE record to the domain
Thanks a lot for your website
Will do, thank you :)
We're now on GH Pages and SSL grading is out of scope now