Hi there.
I have been motivated by a new colleague to enable Forward Secrecy for WoTW WWW server. I did it. I have also tested the website on the Qualys SSL Labs website. Here are the results.
As You can see I got quite high scores. I have failed only because the SSL Certificate was not trusted. I cannot get other certificate for no-ip domain simply because I do not own no-ip domain but only a subdomain. Plus in the times of Snowden’s revelations who really trusts Certificate Authorities when governments can force any CA to give up their master keys or to create valid certificate so they can snoop on SSL connections “test” something… Also I have decided (sometime ago) to disable all protocols but TLSv1.2. The SSL Labs test results say that this site will fail with many clients / browsers because of that… To this I say update / fix Your browsers people. I don’t care for browsers that cannot work with latest / greatest crypto. I don’t have to be compatible with older browsers. I would prefer to force people to use the latest / most secure protocols / browsers that work with them then allow compatibility between older browsers and my server by lowering crypto standards for my server.
Unfortunately I have noticed that Firefox has a problem with TLSv1.2 and since its my browser of choice I have investigated it. Here is a fix:
a) open browser
b) paste this into the address bar:
about:config?filter=security.tls.version.max
c) find variable
security.tls.version.max
d) double click on it
e) change its default value to:
3
f) close and re-open browser
There – fixed. Mozilla finally got their act together – upgrade Your browser to version 27 (or newer). There… now Your Firefox can work with latest TLS version…
For those that want to know more here is the link. For those that will be complaining about the compatibility with older websites I say this – IF the server does not provides TLSv1.2 then why bother providing https at all? Those servers are outdated and/or badly configured. None of these is good for security.
And another thing… Bank of Ireland had weaker scores then my site and provides no Forward Secrecy…
Of course they got A grade. Their cert is valid.
Cheers.
Andrzej