This is an expansion of my older post with feedback from users of the german news page Golem.de. This post will cover some advanced topics that help you make the site even more secure.

Certificate Signing Algorithm

When choosing a CA make sure they don’t use SHA-1 for signing. SHA2 (i.e. SHA256 or SHA512) is considered good nowadays.

Permanent redirect

If you enable HTTPS you don’t want users to still connect via plain old HTTP. To do this, add the highlighted line in your config file.

<VirtualHost *:80>
...
Redirect permanent / https://www.dreami.ch
</VirtualHost>

Ciphers

In your HTTPS VirtualHost entry, add the following lines. The first one excludes SSLv2 and SSLv3 and protects your connections from the POODLE attack. The second one sets the used ciphers. These ciphers are, in a short answer, the algorithms used in en-/decryption. Your server and the browser have to agree on one, that’s why this is a bit of a compatibility issue. Mozilla has a great article on that, so DON’T choose the ones in the example here, because they may be outdated and may be vulnerable by now. Simply copy-paste the Modern or Intermediate compatiblity ones in the Ciphersuite line.

The ciphers are separated by a colon (:), ciphers specifically not to use are preceeded by an exclamation mark. There are some group names like “EXPORT” that include or exclude a whole group of ciphers.

# Remove SSLv2 and SSLv3 to protect against POODLE
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:(...):!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Advertisements