Encryption.chat Hosting Improvements


rugk
 Share

Recommended Posts

A website with security-aware topics should really be a good example. In your case it is only good, but does not use security features, which it should use or which it might use as a site about encryption.

So the SSL config is okay, but there are a few things to mention:

  • You're missing the HSTS header. When you add it you'll get an A+ on SSLLabs.
  • You're sending the root cert, which is unnecessary.
  • You're not sending an intermediate certificate, which is neccessary. Currently this can cause connection failures.
  • OCSP stapling would be a nice thing to add.

Additionally you should really add some security headers and please consider using HPKP and CSP.

Link to comment
Share on other sites

Thank you for the feedback. For scalability the hosting for our forum is provided by Siteground so we are unable to make server configuration changes, however they have a good track record of introducing new features, such as HTTP/2 and SSD storage. The Comodo cert we use predates the availability of a cheaper option from Let’s Encrypt. All of our other sites are hosted by Quotes. With the hosting supplied by Quotes we were able to adjust cipher suites, add support for HTTP/2 and enable HSTS. For cipher suite selection we are hinted by Twitter’s selection but we have a 256 cipher (0xc030) as our first preference whereas Twitter uses 128 (0xc02f). We also use NGINX, set the character set in the headers and use caching and compression. Images are optimised with Optimizely and pages are tested with W3C and GTMetrix, plus validated for Google/Bing mobile compatibility. All of our sites use HTTPS by default but as you have highlighted not all HTTPS installs are the same.

https://www.ssllabs.com/ssltest/analyze.html?d=twitter.com

https://www.ssllabs.com/ssltest/analyze.html?d=encryption.chat

https://www.ssllabs.com/ssltest/analyze.html?d=http2push.com

  • Like 1
Link to comment
Share on other sites

Customising headers and html could be straightforward but it is often difficult to implement anything unless it is server wide. So some security updates such as CSP and PKP just aren’t practical if you are dealing with lots of domains. With forum software, wordpress, joomla etc the frequency of software updates makes custom installs hard work. For example if the Invision updater detects a single file mismatch it aborts the update and you have to upload new files by hand.

X-XSS-Protection has limited browser support and few benefits. XSS in IE is already enabled, all you can really do is enforce it being on.

However "X-Content-Type-Options: nosniff" and "X-Frame-Options: sameorigin" are generally agreeable to most web site arrangements and you can set them through htaccess so they look like good candidates for adoption.

https://securityheaders.io/?q=https%3A%2F%2Fwww.http2push.com%2F

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share