Hacker Newsnew | comments | show | ask | jobs | submit login

My recommendations would be:

1) Prioritize ECDHE-RSA-RC4-SHA. This gives you forward secrecy, is reasonably fast, and avoids the security problems with how block ciphers are integrated into TLS (see http://www.imperialviolet.org/2011/11/22/forwardsecret.html).

2) Enable HSTS headers. Not only does this protect you from SSL stripping attacks, it will often speed things up by eliminating a roundtrip (user types yoursite.com into their browser, makes an HTTP request, gets a 301 for https://yoursite.com, does a TLS handshake).

3) This article mentions Keep-Alive, but TLS Session Tickets are going to be more effective in reducing handshake overhead. Enable them, and setup a job to rotate your session ticket keys once a day.




Note to those reading Moxie's comment that if you don't enable HSTS, and do have resources that reasonably require TLS (like a login page), and you get audited by a 3rd party (like because an enterprise customer requires it), the auditor will ding you.

HSTS: Not really optional in 2013.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: