• Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by rugk

  1. See also It is planned that the feature is included in Nextcloud 13.
  2. All other have an insecure configuration, but this only includes sites, which support SSL/TLS somehow.
  3. Here are some stats about LE:
  4. Marketing? I mean they provided no sources, ... But it seems they measured websites, whereas LE measures page loads, which show a bit more realistic scenario as I assume there are millions of unused or tiny websites, which do not get any visitors at all.
  5. Which is completly wrong as Let's Encrypt shows based on Mozilla Telemetry (for pageloads here). Also wrong. Let's Encrypt is the first CA and if you want to count StartCom as a "large CA" StartSSL is the first. Let's Encrypt itself is already among at largest CAs. (I cannot find a source right now through...) But maybe, they meant "traditional CAs" or something like this. BTW: It is also stupid of Symantec that they charge for ECC certs. Regarding the CertSimple post: This is completely unrelated to HTTPS, so I don't understand what they want to suggest there. Additionally are CSP and XSS in this context the same, maybe they rather meant CSP and HPKP warnings... (which would at least somehow related to HTTPS, but would still does not make sense for a CA)
  6. Okay, so but at least you should be able to add some HTTP headers. In the worst case things like CSP headers can also be embedded into the HTML pages...
  7. A website with security-aware topics should really be a good example. In your case it is only good, but does not use security features, which it should use or which it might use as a site about encryption. So the SSL config is okay, but there are a few things to mention: You're missing the HSTS header. When you add it you'll get an A+ on SSLLabs. You're sending the root cert, which is unnecessary. You're not sending an intermediate certificate, which is neccessary. Currently this can cause connection failures. OCSP stapling would be a nice thing to add. Additionally you should really add some security headers and please consider using HPKP and CSP.
  8. The latest nginx version 1.11.0 now also supports hybrid RSA/ECDSA certificates now. ECDSA certificates are the fast and secure successor of RSA certificates, but only recent clients (aka browsers) currently support them.
  9. Nice. More shared hosting providers, which support HTTPS by Let's Encrypt here:
  10. Now he does not want to show more proves:
  11. Another encrypted messenger is Threema: Their special thing is that they try to minimize metadata and their servers are all in Switzerland. Here is a comparison to WhatsApp:
  12. BTW current state is: FBI could crack the particular iPhone version without the help of Apple. They seem to have used an exploit particularly for this device & iOS version. They probably bought it from some hackers. And they now help other agencies to break into other iPhones.
  13. What is SMTP STS? How It improves Email Security for StartTLS?
  14. There is a new IETF draft for adding the well-known HSTS (HTTP Strict Transport Security) to SMTP too. Although the name is similar it still works in a different way.
  15. Hmm, there site has no proper TLS config. That's already failed...
  16. Could you provide a source for such news, please?