Light Blue Touchpaper now supports TLS, so as to protect passwords and authentication cookies from eavesdropping. TLS support is provided by the Pound load-balancer, because Varnish (our reverse-proxy cache) does not support TLS.
The configuration is intended to be a reasonable trade-off between security and usability, and gets an A– on the Qualys SSL report. The cipher suite list is based on the very helpful Qualys Security Labs recommendations and Apache header re-writing sets the HttpOnly and Secure cookie flags to resist cookie hijacking.
As always, we might have missed something, so if you notice problems such as incompatibilities with certain browsers, then please let us know on <lbt-admin
So is Wikipedia, so please use it when linking there!
You’re quite right (now fixed).
Have you considered also implimenting HSTS (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)?
Good idea. Now done (with a 1 week expiry time).
Good improvements, but could you also consider allowing comments on all articles? Turning them off when you advertise a GCHQ-sponsored PhD position sends the wrong signal.
As you’ve noticed, they’re back on. It turns out to be a usability problem – the new WordPress authoring UI buried the “enabled comments” button.
I just ran the Qualys report and you only get a C on the report. My ISP (Virgin) gets a C too. and there has been quite some argument on their forums about SSL3 . I can’t get their fix to work in Google Chrome (running it with–ssl-version-min=tls1) it was only 3 days ago, and I posted in the forums that people would have to patient whilst the problem is analysed and then fixed. The article is here.
Hope this is of some use.
That’s this site, btw.
Pound has finally shipped a production quality version (2.7) which includes a command to disable SSLv3 (which addresses “Poodle”) … so that puts us back up to a B
Qualys now deprecates RC4 which caps the score at B. Disabling that, as I have now done, brings us to an A (huzzah!)
However, the site can no longer be accessed by Windows XP users running IE6 or IE8 (but they have other problems besides not being able to visit here!) and goodbye also to Java6 clients because they cannot handle Diffie-Hellman parameters > 1024 bits.