kanban #5530
closedSSL with Perfect Forward Encryption
0%
Description
Has the use of Perfect Forward Encryption [1] for the SSL connections been considered?
If yes, what argument stood in opposition to it?
If no, I would like to put forward the motion to consider this mechanism and - if adopted - consider options to promote it.
[1] http://blogs.computerworld.com/encryption/22366/can-nsa-see-through-encrypted-web-pages-maybe-so
Updated by tengu about 11 years ago
Hello,
good point indeed. I spent some times on my own server regarding the Forward SSL stuff on Nginx. Here's what I have working now:
ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_certificate PATH/TO/CERT; ssl_certificate_key PATH/TO/KEY; ssl_protocols SSLv3 TLSv1.2 TLSv1.1 TLSv1; ssl_prefer_server_ciphers on; # enable forward-secrecy, mitigate BEAST ssl_ciphers ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:HIGH:!MD5:!aNULL:!EDH;
With this "simple" setup, I have some good grade on SSL configuration: https://www.ssllabs.com/ssltest/analyze.html?d=www.swisstengu.ch
Hope this helps the AG-DI to implement this (alongside with HSTS1 if not already done ;) )
Cheers,
C.
[1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - in nginx:
server { listen 443 ssl; … add_header Strict-Transport-Security "max-age=31536000"; }
Updated by oschad about 11 years ago
- Tracker changed from Motion to kanban
- Status changed from New to k_backlog
Updated by jowi almost 11 years ago
Updated by jowi over 9 years ago
dhparam muss gesetzt werden (Logjam). Evt ist dazu ein Update von nginx nötig. Bei dieser Gelegenheit könnte auch gleich SPDY aktiviert werden.
Ciphers ohne FS sollten deaktiviert werden (deprectaed in TLS 1.3 draft)