1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
---
slug: tls-and-header-fixes
title: "TLS and Header Fixes"
date: "2021-10-21T10:22:04-04:00"
draft: false
pics:
ssllabs:
css: "image"
tip: "SSL Labs scan results."
sources:
- "/files/posts/tls-and-header-fixes/ssllabs.webp"
- src: "/files/posts/tls-and-header-fixes/ssllabs.png"
width: 990
height: 506
securityheaders:
css: "image"
tip: "Security Headers scan results."
sources:
- "/files/posts/tls-and-header-fixes/securityheaders.webp"
- src: "/files/posts/tls-and-header-fixes/securityheaders.png"
width: 1226
height: 297
lighthouse-desktop:
css: "image"
tip: "Lighthouse desktop scan results."
sources:
- "/files/posts/tls-and-header-fixes/lighthouse-desktop.webp"
- src: "/files/posts/tls-and-header-fixes/lighthouse-desktop.png"
width: 488
height: 192
---
Yesterday I scanned this site using the following tools:
* [SSL Labs: SSL Server Test][ssllabs]: [TLS][] version,
[cipher suites][cipher-suite], and security headers scanner.
* [Security Headers][securityheaders]: [HTTP][] response security
headers scanner.
* [Lighthouse][lighthouse]: Page performance and accessibility scanner.
I made a several [Apache][] configuration changes based on the
initial scan results:
1. Disabled ancient versions of [TLS][].
2. Set an explicit [cipher suite list][cipher-suite] using the
[Mozilla SSL Configuration Generator][ssl-config-gen].
3. Refined the value of the `Access-Control-Allow-Origin` header.
4. Added two new headers: `Referrer-Policy` and `Permissions-Policy`.
After a couple of iterations of changes and testing, I:
* Updated [my recent post][response-header-post] to reflect the
response header changes in the [Apache][] configuration.
* Applied the same changes (with minor tweaks) to several other
sites.
**Tip:** Use the [Mozilla SSL Configuration Generator][ssl-config-gen]
to generate your [TLS][] configuration. It has three client profiles
("modern", "intermediate", and "old") and supports a variety of servers
(web, email, database, application, etc).
Random thoughts:
* Static site generators like [Hugo][] and [Jekyll][] make it easy to
check off many performance and security requirements.
* As an industry, we still have not learned to ["have one joint and keep
it well oiled"][lesson] when dealing with security. Notable
exception: [Wireguard][].
Screenshots of the improved scan results are available below. Click the
[SSL Labs][ssllabs] and [Security Headers][securityheaders] pictures to
see the scan details.
[{{< pe-figure "ssllabs" >}}][ssllabs-results]
[{{< pe-figure "securityheaders" >}}][securityheaders-results]
{{< pe-figure "lighthouse-desktop" >}}
[ssllabs]: https://www.ssllabs.com/ssltest/
"TLS version, cipher suite, and response header scanner."
[securityheaders]: https://securityheaders.com/
"HTTP response header scanner."
[lighthouse]: https://developers.google.com/web/tools/lighthouse
"Page performance and accessibility scanner."
[cipher-suite]: https://en.wikipedia.org/wiki/Cipher_suite
"Set of cryptographic algorithms."
[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security
"Transport Layer Security"
[http]: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
"HyperText Transfer Protocol"
[apache]: https://apache.org/
"Apache web server."
[response-header-post]: {{< ref "/posts/2021-10-19-hugo-csp-impedance-mismatch.md" >}}
"My recent post on Hugo and HTTP response headers."
[ssl-config-gen]: https://ssl-config.mozilla.org/
"Mozilla SSL Configuration Generator"
[ssllabs-results]: https://www.ssllabs.com/ssltest/analyze.html?d=pablotron.org&hideResults=on
"SSL Labs scan results."
[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
"Security Headers scan results."
[postgres]: https://postgresql.org/
"PostgreSQL relational database server."
[lesson]: https://www.imperialviolet.org/2016/05/16/agility.html
"Cryptographic Agility, by Adam Langley."
[wireguard]: https://www.wireguard.com/
"Wireguard VPN"
[hugo]: https://gohugo.io/
"Hugo static site generator."
[jekyll]: https://jekyllrb.com/
"Jekyll static site generator."
|
