Before i start i have cheap ssl (my blog) which may or may not compromised to the nsa – of which they say ‘no’ by the ssl provider* So much of the subsequent may be pointless. The quays test on first install gave me a b several months ago , some work got me to a. and additional work months later got extra high scores in ‘failing’areas.
early issues i had with TLS-RSA-WITH-RC4-128-SHA**
Leading to a natural RC4 NOT DESIRABLE so its not all bad as beast is mitigated with tls. but its a vague field and while we all hear of perfect configs finding out how is a bit of a headache inducer. Like i say i got an A but the config lines in ssl are not 100% my thing. I am sure there is a way and i would like to have it.
I will nail it one day. After heartbleed patching I got an a+. Which i like but you might think is grade inflation for doing nothing i did nnot have before.
ssl configuration is near voodoo, while i get good cipher strength getting a perfect 100% over four areas appears impossible for if you disable part that reflects upon others which is a conundrum – I need a newer apache version as well for some of those so it seems a compile is in order for fips and ocsp, assuming that is no compromises and the certificate in use can do stuff . I use failtoban (my blog) and it appears while not a configuration means it might solve some of the possible issues like beast and rc4 issues.
I see that others have issues to, an example is the extended certificates on wordpress looks good**** but it reports as 50% of the cert strength. See
Security might be great but how it is configured might mean that costly thing is not really doing much except security theater.
Proprietary also gets in on the act with spdy*** so the perfect config will be apples and oranges to another’s banana smoothie (my blog),
So does ssl mean security ? yes – well there is ssl and ssl configs and that is a an area when ssl means maybe it is and maybe it is not. You experience might vary and as internet explorer**** is not being catered to with my chrome/firefox bias might mean no security at all for some.
Its a rabbit hole this one. Buying expensive ssl certs is no measure of secuirty when the config it runs on gets an F.
I need ssl reconfigured and compiled to get ocsp and other features working, pfs seems to be a thing a few who actually figured out what to do – i am assuming i missing dns records but that is a guess. I cannot disable tls 1.0 even though its thought to be compromised so perfect security is hard to achieve.
Then when you have a good config heartbeat (not my blog) comes along (test) and the fun begins again.
It is interesting although we all get the probers seeking the holes.
* being patriots, or targeted data collection with or without others knowledge. ** something which Microsoft seems guilty of liking. *** eg google, i tried spdy and had no success with ssl until i removed spdy from the web server.. Chrome [open source] i liked ****
Bob Parsons who shot an elephant in Zimbabwe
I am sure Bob Parsons (my blog) would willingly give the master password and oral sex to the nsa after all he is a ‘patriot’. So the merits of using godaddy as a supplier seems a discussion worth having. **** It has weakened security