Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Google remove secure mark from SSL enabled websites - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Google remove secure mark from SSL enabled websites

2»

Comments

  • I find that using @raymii config works out of box on my Debian 8 servers. But not working on my Ubuntu 12:04

  • JohnMiller92JohnMiller92 Member
    edited August 2018

    jsg said: Not really. You also need to configure anything TLS based properly, e.g. to not accept SSL and to only use a reasonable set of algorithms. But that's largely specific for each server software so you'll have to search for something like "configure TLS 1.2 for [your server, e.g. nginx]".

    @jsg, since you seem well versed in this. I have a question if u don't mind

    Will using cloudflare and having a redirect rule (all http to https) be enough? For example, I don't have any SSL setup with nginx for my forum, and will just use cloudflare's stuff.

    Bit confused on your "to not accept SSL and to only use a reasonable set of algorithms" part. What algorithms do you mean exactly? Or am I overthinking this

  • jsgjsg Member, Resident Benchmarker

    @jcaleb said:
    I find that using @raymii config works out of box on my Debian 8 servers. But not working on my Ubuntu 12:04

    Maybe a misunderstanding, but from what I see you use that stuff on your desktop to create a config for the server.

    Regarding the tools suggested by @seanho and @Raymii, particularly the Mozilla page I think that's a good starting point for many. There are however still a lot of caveats and things one should think about. SHA-2 256 is an example and so are certain Nist propagated curves which you do not need for most sites unless you are doing business with a certain clientele.

  • I am using on my websites. some vps I have are using 12.04 because I bought many years ago. But more recent website uses Debian 8. I have less pain in Debian 8

  • jsgjsg Member, Resident Benchmarker
    edited August 2018

    @JohnMiller92 said:
    @jsg, since you seem well versed in this. I have a question if u don't mind

    Will using cloudflare and having a redirect rule (all http to https) be enough? For example, I don't have any SSL setup with nginx for my forum, and will just use cloudflare's stuff.

    Bit confused on your "to not accept SSL and to only use a reasonable set of algorithms" part. What algorithms do you mean exactly? Or am I overthinking this

    Re. %$"§Flare I guess your approach is right (I can only guess because I never used them nor will I ever).

    Re. your other question: Keep in mind that TLS is but renamed new SSL versions. So saying that one should not accept SSL is just another way of saying that one should not use OLD SSL/TLS versions but at the very minimum TLS 1.1. Somewhat similarly one should use and accept only relatively modern crypto algorithms; a good (and a bit exaggerated for clarity) example is to avoid MD5 hashes and to use use SSH-2 384+ or SHA-3.

    A bit extra explanation as still many seem not to know that: SSL/TLS has diverse crypto algorithms available on both the server and the client side. Which ones are actually used is negotiated between the two at the beginning. Each side can exclude certain algorithms, maybe because they are considered too old and/or weak or maybe because they are considered too expensive (in terms of computing); A major server for example with non-critical content (say a big cooking community) but tens of thousands of connected clients in the evening will probably not want to waste valuable resources on high-grade key exchange and encryption and such make the server considerably slower.

    Basically it works like this: both the server and the client "offer" a set of crypto algos and SSL/TLS versions, they are ready and willing to use. And then they use some that they both have in common.

    As your site goes through %$"§Flare that seems to not concern you and it might be assumed that they have reasonable selections and parameters in place. Maybe (Again: I do not KNOW that and can only speculate. Check with them!) %$"§Flare even offers an interface for customers to have some power over e.g. min. TLS version.

  • angstromangstrom Moderator

    @jcaleb said:
    I am using on my websites. some vps I have are using 12.04 because I bought many years ago. But more recent website uses Debian 8. I have less pain in Debian 8

    Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)

  • angstrom said: Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)

    true, but seems risky. maybe just transfer my site to a new vps running debian

  • jsgjsg Member, Resident Benchmarker
    edited August 2018

    @jcaleb said:

    angstrom said: Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)

    true, but seems risky. maybe just transfer my site to a new vps running debian

    You should listen to @angstroem. Keep in mind that it's virtually always the -implementation- and not the algorithm that's vulnerable and get's broken.

    Translation: You should definitely absolutely use an OS that (still) has updates and patches available!

    Plus you have the advantage anyway that Ubuntu and Debian are similar enough that the transfer to a new (current Debian) VPS should be relatively painless. So DO IT!

    Thanked by 1jcaleb
  • Wow, great news from Google. Many SSL providers will be happy. :3

Sign In or Register to comment.