[sudo-sys] TLS on the webserver
Yardena Cohen
yardenack at gmail.com
Wed Dec 25 11:46:45 PST 2013
changes I made to the webserver:
- added a cert to lists.sudoroom.org
- enabled HSTS on all TLS domains (sudoroom.org, www, lists)
- strongly prefer forward secrecy
- disabled RC4 ciphers
- disabled SSLv3 protocol
Right now we are ONLY using TLS 1.0. Ideally we'd use 1.1 or 1.2, but
it looks like Apache in Ubuntu LTS does not support either. This will
keep us from getting a perfect score on
https://www.ssllabs.com/ssltest/analyze.html?d=sudoroom.org :)
I submitted an updated ruleset to HTTPS-Everywhere. By the way, sudo
props to "MB <kunjurcca at gmail.com>" whoever you are, for submitting us
back in April: https://github.com/EFForg/https-everywhere/commit/562cab99
It would be nice to have a TLS-only server. Right now we have the
following domains being served in cleartext. Some of them can probably
be removed or redirected to https://sudoroom.org/foo/ - thoughts?
- api.sudoroom.org
- fund.sudoroom.org
- radio.sudoroom.org
- dev.sudoroom.org
- mesh.sudoroom.org [working redirect]
- meshmap.sudoroom.org
- o.sudoroom.org [working redirect]
- science.sudoroom.org
- survey.sudoroom.org
More information about the sudo-sys
mailing list