From ebf80753b684509d3a2b8c1d7165a104ab549d51 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Thu, 21 Oct 2021 17:55:17 -0400 Subject: add posts/2021-10-21-tls-and-header-fixes.md --- content/posts/2021-10-21-tls-and-header-fixes.md | 102 +++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 content/posts/2021-10-21-tls-and-header-fixes.md (limited to 'content') diff --git a/content/posts/2021-10-21-tls-and-header-fixes.md b/content/posts/2021-10-21-tls-and-header-fixes.md new file mode 100644 index 0000000..430561d --- /dev/null +++ b/content/posts/2021-10-21-tls-and-header-fixes.md @@ -0,0 +1,102 @@ +--- +slug: tls-and-header-fixes +title: "TLS and Header Fixes" +date: "2021-10-21T10:22:04-04:00" +draft: true +--- +Yesterday I scanned this site using the following tools: + +* [SSL Labs: SSL Server Test][ssllabs]: [TLS][] version, + [cipher suites][cipher-suite], and security headers scanner. +* [Security Headers][securityheaders]: [HTTP][] response security + headers scanner. +* [Lighthouse][lighthouse]: Page performance and accessibility scanner. + +I made a several [Apache][] configuration changes based on the +initial scan results: + +1. Disabled ancient versions of [TLS][]. +2. Set an explicit [cipher suite list][cipher-suite] using the + [Mozilla SSL Configuration Generator][ssl-config-gen]. +3. Refined the value of the `Access-Control-Allow-Origin` header. +4. Added two new headers: `Referrer-Policy` and `Permissions-Policy`. + +After a couple of iterations of changes and testing, I: + +* Updated [my recent post][response-header-post] to reflect the + response header changes in the [Apache][] configuration. +* Applied the same changes (with minor tweaks) to several other + sites. + +**Tip:** Use the [Mozilla SSL Configuration Generator][ssl-config-gen] +to generate your [TLS][] configuration. It has three client profiles +("modern", "intermediate", and "old") and supports a variety of servers +(web, email, database, application, etc). + +Random thoughts: +* Static site generators like [Hugo][] and [Jekyll][] make it easy to + check off many performance and security requirements. +* As an industry, we still have not learned to ["have one joint and keep + it well oiled"][lesson] when dealing with security. Notable + exception: [Wireguard][]. + +Screenshots of the improved scan results are available below. Click the +[SSL Labs][ssllabs] and [Security Headers][securityheaders] pictures to +see the scan details. + +[{{< figure + src="/files/posts/tls-and-header-fixes/ssllabs.png" + class=image + width=990 + height=506 + caption="SSL Labs scan results." +>}}][ssllabs-results] + +[{{< figure + src="/files/posts/tls-and-header-fixes/securityheaders.png" + class=image + width=1226 + height=297 + caption=" Security Headers scan results." +>}}][securityheaders-results] + +{{< figure + src="/files/posts/tls-and-header-fixes/lighthouse-desktop.png" + class=image + width=488 + height=192 + caption="Lighthouse desktop scan results." +>}} + +[ssllabs]: https://www.ssllabs.com/ssltest/ + "TLS version, cipher suite, and response header scanner." +[securityheaders]: https://securityheaders.com/ + "HTTP response header scanner." +[lighthouse]: https://developers.google.com/web/tools/lighthouse + "Page performance and accessibility scanner." +[cipher-suite]: https://en.wikipedia.org/wiki/Cipher_suite + "Set of cryptographic algorithms." +[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security + "Transport Layer Security" +[http]: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol + "HyperText Transfer Protocol" +[apache]: https://apache.org/ + "Apache web server." +[response-header-post]: {{< ref "/posts/2021-10-19-hugo-csp-impedance-mismatch.md" >}} + "My recent post on Hugo and HTTP response headers." +[ssl-config-gen]: https://ssl-config.mozilla.org/ + "Mozilla SSL Configuration Generator" +[ssllabs-results]: https://www.ssllabs.com/ssltest/analyze.html?d=pablotron.org&hideResults=on + "SSL Labs scan results." +[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on + "Security Headers scan results." +[postgres]: https://postgresql.org/ + "PostgreSQL relational database server." +[lesson]: https://www.imperialviolet.org/2016/05/16/agility.html + "Cryptographic Agility, by Adam Langley." +[wireguard]: https://www.wireguard.com/ + "Wireguard VPN" +[hugo]: https://gohugo.io/ + "Hugo static site generator." +[jekyll]: https://jekyllrb.com/ + "Jekyll static site generator." -- cgit v1.2.3