
On the Usability of Deploying HTTPS [pdf] - ivanr
https://www.sba-research.org/wp-content/uploads/publications/usenixTLSpreprint.pdf
======
tyingq
So, tls libraries, webservers, etc don't come with sane defaults for tls
settings. They also don't come with sane defaults for security oriented
headers, etc. I assume that's partly why software like caddy is gaining in
popularity.

~~~
greggman
Is that enough? If I put caddy in front of my existing infrastructure am I now
secure and doing TLS correctly? That's what I did but I have no idea if some
expert wouldn't look and say "no, this is not done correctly, here's all the
parts you missed"

~~~
tyingq
Probably not. The default ciphers are reasonable. HSTS isn't on by default,
last I checked. But Caddy does generally seem to aspire to do the right thing
by default.

There is a Mozilla tool called Observatory that seems pretty comprehensive in
checking TLS setup and some other security settings, headers, etc:
[https://observatory.mozilla.org](https://observatory.mozilla.org)

------
lhuser123
> Our results suggest that the deployment process is far too complex even for
> people with proficient knowledge in the field

There we go again. You can find it every where. The human tendency to
underestimate how much we don't understand , and how much others don't
understand. Ahh, and how fast everyone forgot it.

------
plange
There's some good resources out there, the problem here is that most people
simply don't care or don't think it's part of their job to fix these things.

[https://mozilla.github.io/server-side-tls/ssl-config-
generat...](https://mozilla.github.io/server-side-tls/ssl-config-generator/)

[https://cipherli.st/](https://cipherli.st/)

