https://www.ssllabs.com/ssltest/analyze.html?d=www.luv.asn.au&s=46.4.124.163
Based on the above (and some other reading) I made some changes to the LUV configuration. SSLProtocol all -SSLv3 -TLSv1 I used the above to remove support for TLSv1. That prevents Android versions below 4.3 from connecting as well as ancient versions of IE on Windows. I'm pretty sure that every Windows system that still has MS support can run a browser that supports TLS version 1.1. As for the tiny minority of devices running Android 4.3 and earlier, that's going to be a problem for them if they aren't using Chrome. I believe that the main purpose of LUV is education. If someone has a problem with a LUV web site then they can talk to us and get some help with that. While if they encounter the same issue on some corporate site they probably won't. # from https://mozilla.github.io/server-side-tls/ssl-config-generator/ # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" I've had the above in the LUV configuration for some time. That means that browsers will cache the fact that they should use HTTPS so if you manually type in a URL the browser will use HTTPS instead. IN CAA 0 issue "letsencrypt.org" IN CAA 0 issuewild ";" IN CAA 0 iodef "mailto:[email protected]"; I've also added the above DNS entries to lock the luv.asn.au domain to only certificates from letsencrypt.org. I don't think that this is going to give us a significant benefit as letsencrypt gives out certificates based on connecting to the name in question. So the task of fooling letsencrypt is probably easier than fooling a regular HTTP session. This also means that the Strict-Transport-Security also probably provides minimal benefit. Also the LUV web site doesn't need a lot of security, we aren't going online banking or anything. But again we are about education, so if LUV doing this helps others learn about configuration options and promote them for other organisations with greater security needs then that's a good thing. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ luv-main mailing list [email protected] https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
