

SSL Labs: Stricter security requirements for 2014 - ivanr
http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-for-2014.html

======
tptacek
I really wish it wasn't possible to get an A- with RC4 enabled.

~~~
ivanr
I wish that too. I don't like the idea of having a demonstratively weak cipher
in my SSL configuration, either. On the other hand, RC4 remains the only
reliable way to defend against BEAST. Modern browsers might have addressed
this issue, but there remain large numbers of users who are using older
(unpatched) browsers and have (unpatched) Java enabled too. Plus, RC4
weaknesses are (as far as we know) not practical to exploit.

I am not afraid about BEAST, but I felt it would be wrong to penalize those
who have legitimate reasons to be worried. In the end, it's all about context.

That said, perhaps the penalty for using RC4 with TLS 1.1 and better (which
are not vulnerable to BEAST) should have been harsher. I'll consider it for a
future update.

~~~
jvehent
I agree. Unfortunately, there is currently no way to configure different
ciphersuites for different versions of TLS. With issues like BEAST, it would
be highly beneficial if Apache, Nginx & others would supports ciphers
preferences per TLS versions.

That still wouldn't help old clients. For them, only one solution: upgrade!

~~~
ivanr
Yes, that would be nice. I've heard that PolarSSL has per-protocol suite
selection. It's really something the underlying SSL library needs to support.

With OpenSSL, the best we can do right now is prioritize suites so that SHA2
ones are on top. By doing that, you know that TLS 1.2 capable clients are
going to use good suites. The rest will fall back to whatever is below.

------
briansmith
Ivan, it would be helpful to define what a "long max-age" is, exactly. In
order to qualify for Firefox's HSTS preload list, max-age=10886400 or higher
is required. Are you using the same boundary, or a different one?

~~~
ivanr
It's 180 days (or 15,552,000 seconds) at the moment. I have it documented in
the rating guide, but I should probably mention it somewhere in the report. I
am not sure that's long enough, by the way. There are some important sites I
visit only once in a long while, and I would prefer to be protected on every
visit.

For your needs (HSTS preloading), a shorter value is probably fine.

------
rbritton
I'm stuck at B because Fedora's Apache and OpenSSL packages have not yet been
updated to fix the items necessary to go beyond that. It's not a high risk
enough site to warrant compiling and maintaining the build myself.

~~~
daeken
> It's not a high risk enough site to warrant compiling and maintaining the
> build myself.

Doing so would -- unless you're extraordinarily fastidious -- more than likely
open you to more risk than the existing issues. Keeping up with security
patches is more important, and your package manager is almost definitely
better at it than you are. So keep doing what you're doing -- you're good!

------
adam-f
Sadly, the blog isn't available over https.

------
ceejayoz
I'd love to see a canonical "pick these suites" article for Amazon's Elastic
Load Balancers. I've managed an A- but it'd be nice to know which of the 50ish
ciphers shown in ELB config I should be picking.

~~~
spamizbad
AFIAK it's not possible to get an A+ with Amazon's ELB, but it's sometimes
hard to parse Amazon's abridged cipher names.

It also doesn't help that Amazon gives you a TON of junk ciphers (like the
anon ones) but is missing some stronger ones.

~~~
conorgil145
I just went through a similar process with ELB. Unfortunately, ELB does not
support ECDHE so if you want to use perfect forward secrecy, DHE is your only
available option there and it is much slower than ECDHE. I switched to using
stud to resolve SSL so that we could enable ECDHE.

stud: [https://github.com/bumptech/stud](https://github.com/bumptech/stud)

------
aroch
Woo, I get an A+. Do you have any comments on using 'includeSubDomains' with
HTST? I've had some people tell me not to use it and other to use it. Are
there any major security implications?

~~~
ivanr
Ideally, you should always use "includeSubdomains" with HSTS. This will
provide robust security for the main hostname as well as all subdomains. The
issue here is that (without "includeSubdomains") a man in the middle attacker
can create arbitrary subdomains and use them inject cookies into your
application. In some cases, even leakage might occur.

The drawback of "includeSubdomains", of course, is that you will have to
deploy all subdomains over SSL.

~~~
aroch
Thanks, that's what I thought.

------
rickette
SSL labs is an amazing site. I use it frequently to alert co-workers about
potential weaknesses in our SSL setup. Having a SSL labs testreport makes it
easier to grasp for everyone involved.

~~~
zobzu
amazing i don't know but its useful, it helps raising awareness a lot.

------
shebson
An interesting effect of this is that everyone using ssl provided by
CloudFlare's Pro tier now gets dropped to an A- because they use RC4 with TLS
1.1.

------
hsivonen
Thanks for the test (very useful!) and for the update.

A couple of comments:

"Servers that do not support Forward Secrecy with our reference browsers are
given a warning."

Why aren't such servers capped to a non-A rating?

Also, the current scoring scheme that puts Cipher Strength among the bars at
the top but doesn't put Forward Secrery there. Is there a reason to believe
that it's more worthwhile to highligh symmetric cipher key length than to
highlight Forward Secrecy, including the DH group size?

Considering that the security of AES256 might be closer to AES128 per
[https://www.schneier.com/blog/archives/2009/07/new_attack_on...](https://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html)
and running more rounds might give more opportunity for timing attacks in case
a round isn't constant-time, it seems weird to me to highlight the lack of
AES256 more than DH group size. Likewise, it seems weird to highlight the
difference between AES128 and AES256 more than the difference between RC4 and
AES.

~~~
ivanr
I guess that some decisions are easier to make than others. It's quite clear,
for example, that protocols before TLS 1.2 are inadequate. Forward Secrecy, on
the other hand, is supremely important for some sites (e.g., Google) and not
at all important for others (e.g., SSL Labs).

Also relevant is that these new rules are added on top of the 2009 rating
guide, which does not offer an adequate framework for them. Just as an
illustration, there is currently no meaning behind the A-F grades. A is good,
and F is bad, clearly, but we don't know what the grades in between mean.

Same response to your ciphers question. I can't stretch the current approach
to go handle those small differences. The calculations made some sense at the
time, but they no longer work for everything we want to take into account.

I currently working a new version of the rating guide--from scratch--and it's
going to solve all those problems, and a few more.

------
scott_karana
For someone without the time to compile OpenSSL and nginx/apache, what is a
recommended Linux distro with support for TLS 1.2 and PFS?

I'm normally a Debian Stable and CentOS6 guy, but both fall flat here, last I
checked.

~~~
agwa
Debian Stable (Wheezy)'s OpenSSL has everything you need: TLSv1.2, elliptic
curve crypto. However, its Apache doesn't support elliptic curve crypto so
you'll have to use the slower discrete log Diffie Hellman to get PFS with
Apache. I'm not sure about the version of nginx in Wheezy.

~~~
ivanr
If you're stuck with Apache 2.2.x (and thus no support for Elliptic Curve
crypto), perhaps you should give TLS Interposer a try:
[https://netfuture.ch/tools/tls-interposer/](https://netfuture.ch/tools/tls-
interposer/) It adds ECDHE support without having to upgrade to Apache 2.4.x.

~~~
agwa
Wow, that's an extremely cool program. Thanks!

------
dobbsbob
Tested some email providers

Neomailbox A

Countermail.com B

Cryptoheaven.com F "world's safest email" lol

Riseup.net the service political activists rely on only uses TLS1.0/SSL3

------
mike-cardwell
The only "fail" for grepular.com is:

    
    
      IE 6 / XP - No FS - No SNI - Protocol or cipher suite mismatch
    

This is because I disabled SSLv3 which means people using IE6 on WinXP simply
can't access the site. I see this as more of a win than a fail.

~~~
dspillett
IIRC IE6 on XP can support TLSv1.0 but it was disabled by default until IE7.

------
2bluesc
The test tool is pretty handy too. If only I could convince some of my service
providers to care...

------
taway2012
I host two sites on the same IP. The first site declared in my nginx conf file
got A+. The second one got A with a note that it doesn't work in browsers
without SNI.

Identical SSL configurations otherwise.

Is this expected? Or am I doing something wrong?

~~~
legutierr
If you are using the same IP to host two domains, each with a separate
certificate, then only one certificate can be default and associated with that
IP when SNI is not enabled. NGINX is probably choosing one of your two domains
to be "default" (if you haven't set it up that way explicitly). What happens
when you hit the server without any domain (i.e. via IP address in the
browser)? Is the site you see the one that got the A+?

SNI is what allows you to use two different certificates (associated with two
different domain names) with the same IP address. Your choices seem to be:

1\. Rely on SNI, which doesn't work with IE on WinXP, or on 2.x Android;

2\. Give your server two public IPs, with each pointing to a different domain;
OR

3\. Generate a single SAN certificate that references both domains
([http://en.wikipedia.org/wiki/SubjectAltName](http://en.wikipedia.org/wiki/SubjectAltName))
Not all certificate issuers can generate a SAN certificate.

~~~
taway2012
Thanks for the response. I get the A+ site when I directly visit via IP.

I went through the delta between the reports with a fine-toothed comb and
discovered that SNI wasn't the problem. It was a biggie: looks like HSTS
wasn't enabled for visits to the static part of the site (like the homepage).

It seems like Nginx is doing something counter-intuitive. I've set HSTS at the
server level using the 'add_header' directive.

I've set 'max-age=0, must-revalidate' at the location level using add_header
for the static parts of my site. I expected Nginx to add both add_headers, but
it only seems to do the "deepest" set of add_headers it finds.

Duplicating the 'add_header' directive at the location level (resulting in two
add_header directives) results in HSTS being sent for the static parts also.

Now I get A+ on SSL Labs for both sites.

------
riteshpatel
A+ without any changes, whoop :)

[https://www.ssllabs.com/ssltest/analyze.html?d=theticketfair...](https://www.ssllabs.com/ssltest/analyze.html?d=theticketfairy.com)

~~~
gog
Can you share the nginx config?

~~~
RKearney
Not OP, but here's the relevant portion of my Nginx config that scores an A+

[https://gist.github.com/ryankearney/8552425](https://gist.github.com/ryankearney/8552425)

~~~
ivanr
Some comments:

\- You don't need the builtin session cache. According to the Nginx
documentation, it's more efficient to rely only on shared memory alone.

\- You should use a longer session duration. Five minutes is too short. Use at
least one hour there.

\- For performance reasons, you might want to enable OCSP stapling.

\- SSL Labs does not currently penalize Diffie-Hellman parameters of 1024 bits
(the Nginx default), but it's something you should generally look to improve.
It's easy with the ssl_dhparam directive. (Some libraries, for example Java 6
and 7, does not support DH params over 1024 bits, though. So take that into
consideration.)

~~~
RKearney
Thanks for all these suggestions. I was able to implement all of them except
for oscp stapling due to our version of nginx not supporting it. Once that
gets upgraded that can be implemented too.

------
dave1010uk
Can anyone share the bits of an Apache config required to get an A+? Even
better would be an Ansible / Puppet / Chef cookbook.

~~~
mdewinter
Here is a fairly extensive guide for Apache:
[https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache...](https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html)
\- Also one for
nginx:[https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx....](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html)
\- This will get you an A+.

------
wommpomm
i agree, i've only just got to the point of needing to look at this sort of
site and the SSL labs is an amazing site. Thank you

