aboutsummaryrefslogtreecommitdiff
path: root/content/posts
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2021-10-21 17:55:17 -0400
committerPaul Duncan <pabs@pablotron.org>2021-10-21 17:55:17 -0400
commitebf80753b684509d3a2b8c1d7165a104ab549d51 (patch)
tree630e353be62b78968b5795d90c7a543f3e09d2f8 /content/posts
parentea650a96c92a4305389b0a40d00599b1430cff41 (diff)
downloadpablotron.org-ebf80753b684509d3a2b8c1d7165a104ab549d51.tar.bz2
pablotron.org-ebf80753b684509d3a2b8c1d7165a104ab549d51.zip
add posts/2021-10-21-tls-and-header-fixes.md
Diffstat (limited to 'content/posts')
-rw-r--r--content/posts/2021-10-21-tls-and-header-fixes.md102
1 files changed, 102 insertions, 0 deletions
diff --git a/content/posts/2021-10-21-tls-and-header-fixes.md b/content/posts/2021-10-21-tls-and-header-fixes.md
new file mode 100644
index 0000000..430561d
--- /dev/null
+++ b/content/posts/2021-10-21-tls-and-header-fixes.md
@@ -0,0 +1,102 @@
+---
+slug: tls-and-header-fixes
+title: "TLS and Header Fixes"
+date: "2021-10-21T10:22:04-04:00"
+draft: true
+---
+Yesterday I scanned this site using the following tools:
+
+* [SSL Labs: SSL Server Test][ssllabs]: [TLS][] version,
+ [cipher suites][cipher-suite], and security headers scanner.
+* [Security Headers][securityheaders]: [HTTP][] response security
+ headers scanner.
+* [Lighthouse][lighthouse]: Page performance and accessibility scanner.
+
+I made a several [Apache][] configuration changes based on the
+initial scan results:
+
+1. Disabled ancient versions of [TLS][].
+2. Set an explicit [cipher suite list][cipher-suite] using the
+ [Mozilla SSL Configuration Generator][ssl-config-gen].
+3. Refined the value of the `Access-Control-Allow-Origin` header.
+4. Added two new headers: `Referrer-Policy` and `Permissions-Policy`.
+
+After a couple of iterations of changes and testing, I:
+
+* Updated [my recent post][response-header-post] to reflect the
+ response header changes in the [Apache][] configuration.
+* Applied the same changes (with minor tweaks) to several other
+ sites.
+
+**Tip:** Use the [Mozilla SSL Configuration Generator][ssl-config-gen]
+to generate your [TLS][] configuration. It has three client profiles
+("modern", "intermediate", and "old") and supports a variety of servers
+(web, email, database, application, etc).
+
+Random thoughts:
+* Static site generators like [Hugo][] and [Jekyll][] make it easy to
+ check off many performance and security requirements.
+* As an industry, we still have not learned to ["have one joint and keep
+ it well oiled"][lesson] when dealing with security. Notable
+ exception: [Wireguard][].
+
+Screenshots of the improved scan results are available below. Click the
+[SSL Labs][ssllabs] and [Security Headers][securityheaders] pictures to
+see the scan details.
+
+[{{< figure
+ src="/files/posts/tls-and-header-fixes/ssllabs.png"
+ class=image
+ width=990
+ height=506
+ caption="SSL Labs scan results."
+>}}][ssllabs-results]
+
+[{{< figure
+ src="/files/posts/tls-and-header-fixes/securityheaders.png"
+ class=image
+ width=1226
+ height=297
+ caption=" Security Headers scan results."
+>}}][securityheaders-results]
+
+{{< figure
+ src="/files/posts/tls-and-header-fixes/lighthouse-desktop.png"
+ class=image
+ width=488
+ height=192
+ caption="Lighthouse desktop scan results."
+>}}
+
+[ssllabs]: https://www.ssllabs.com/ssltest/
+ "TLS version, cipher suite, and response header scanner."
+[securityheaders]: https://securityheaders.com/
+ "HTTP response header scanner."
+[lighthouse]: https://developers.google.com/web/tools/lighthouse
+ "Page performance and accessibility scanner."
+[cipher-suite]: https://en.wikipedia.org/wiki/Cipher_suite
+ "Set of cryptographic algorithms."
+[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security
+ "Transport Layer Security"
+[http]: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
+ "HyperText Transfer Protocol"
+[apache]: https://apache.org/
+ "Apache web server."
+[response-header-post]: {{< ref "/posts/2021-10-19-hugo-csp-impedance-mismatch.md" >}}
+ "My recent post on Hugo and HTTP response headers."
+[ssl-config-gen]: https://ssl-config.mozilla.org/
+ "Mozilla SSL Configuration Generator"
+[ssllabs-results]: https://www.ssllabs.com/ssltest/analyze.html?d=pablotron.org&hideResults=on
+ "SSL Labs scan results."
+[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
+ "Security Headers scan results."
+[postgres]: https://postgresql.org/
+ "PostgreSQL relational database server."
+[lesson]: https://www.imperialviolet.org/2016/05/16/agility.html
+ "Cryptographic Agility, by Adam Langley."
+[wireguard]: https://www.wireguard.com/
+ "Wireguard VPN"
+[hugo]: https://gohugo.io/
+ "Hugo static site generator."
+[jekyll]: https://jekyllrb.com/
+ "Jekyll static site generator."