HTTPS + Let's Encrypt
•
0 likes•1,826 views
The document discusses making websites secure by default through HTTPS. It covers the required technology and best practices for configuring HTTPS, migrating sites to HTTPS to make them more secure and user-friendly, and improving performance. Implementing HTTPS properly can help protect user privacy and data security.
Report
Share
HTTPS + Let's Encrypt
- 2. Google I/O 2014: HTTPS Everywhere „Data delivered over an unencrypted channel is insecure, untrustworthy, and trivially intercepted. We must protect the security, privacy, and integrity of our users data. In this session we will take a hands-on tour of how to make your websites secure by default: the required technology, configuration and performance best practices, how to migrate your sites to HTTPS and make them user and search friendly, and more. Your users will thank you.“ https://www.youtube.com/watch?v=cBhZ6S0PFCY
- 10. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
- 11. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
- 12. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_a nd_Cipher_Configuration SSL 1 SSL 2 SSL 3 SSL 3.1 = TLS 1.0 TLS 1.1 TLS 1.2
- 14. wQ
- 15. Q ) w
- 31. Content Security Policy (CSP) # Apache Header set Content-Security-Policy "default-src https:" # Nginx add_header Content-Security-Policy "default-src https:"; https://www.owasp.org/index.php/Content_Security_Policy https://scotthelme.co.uk/csp-cheat-sheet/
- 32. HTTP Strict Transport Security (HSTS) # Apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" # Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- 36. HSTS # Apache Header always set Strict-Transport-Security "max-age=31536000" # Nginx add_header Strict-Transport-Security "max-age=31536000"; https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Excessively_Strict_STS
- 38. Server Name Indication (SNI) Mehrere Domains unter einer IP-Adresse https://de.wikipedia.org/wiki/Server_Name_Indication
- 39. https://www.ssllabs.com/ssltest/analyze.html?d=walterebert.de&hideResults=on Android 2.3 Internet Explorer auf Windows XP
- 40. Webservices RSS-Reader Webcrawler Monitoring … PHP < 5.3.2 Python 2 Java 6 Nicht nur Browser https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniinga
- 41. Konfiguration How to Deploy HTTPS Correctly https://www.eff.org/https-everywhere/deploying-https SSL/TLS Deployment Best Practices https://www.ssllabs.com/projects/best-practices/ Richtig verschlüsseln mit SSL/TLS https://www.owasp.org/images/1/19/Richtig_verschluesseln_mit_SSL%2 BTLS_-_Achim_Hoffmann%2BTorsten_Gigler.pdf HTTP2-Implementationen https://github.com/http2/http2-spec/wiki/Implementations
- 45. diff --git a/.htaccess b/.htaccess index 974999a..f4024c6 100644 --- a/.htaccess +++ b/.htaccess @@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes. -<FilesMatch ".(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig| tpl(.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*| Repository|Root|Tag|Template|composer.(json|lock))$| ^#.*#$|.php(~|.sw[op]|.bak|.orig|.save)$"> +<FilesMatch ".(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig| tpl(.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(.(?!well-known).*| Entries.*|Repository|Root|Tag|Template|composer.(json|lock))$| ^#.*#$|.php(~|.sw[op]|.bak|.orig|.save)$"> <IfModule mod_authz_core.c> Require all denied </IfModule> @@ -93,7 +93,7 @@ AddEncoding gzip svgz # If you do not have mod_rewrite installed, you should remove these # directories from your webroot or otherwise protect them from being # downloaded. - RewriteRule "(^|/)." - [F] + RewriteRule "(^|/).(?!well-known)" - [F] # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred https://www.drupal.org/node/2408321
- 48. $ ls -l /etc/letsencrypt/ total 24 drwx------ 3 root root 4096 Jan 8 12:23 accounts drwx------ 5 root root 4096 Feb 4 15:14 archive drwxr-xr-x 2 root root 4096 Feb 4 14:36 csr drwx------ 2 root root 4096 Feb 4 14:36 keys drwx------ 6 root root 4096 Feb 4 15:14 live drwxr-xr-x 2 root root 4096 Feb 4 14:36 renewal $ sudo ls -l /etc/letsencrypt/live/walterebert.de total 0 lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert.pem -> ../../archive/walterebert.de/cert1.pem lrwxrwxrwx 1 root root 38 Feb 4 14:59 cert1.pem -> ../../archive/walterebert.de/cert1.pem lrwxrwxrwx 1 root root 39 Feb 4 14:59 chain.pem -> ../../archive/walterebert.de/chain1.pem lrwxrwxrwx 1 root root 43 Feb 4 14:59 fullchain.pem -> ../../archive/walterebert.de/fullchain1.pem lrwxrwxrwx 1 root root 41 Feb 4 15:00 privkey.pem -> ../../archive/walterebert.de/privkey1.pem
- 51. Testen SSL Server Test (Qualys SSL Labs) https://www.ssllabs.com/ssltest/ SSLyze https://github.com/nabla-c0d3/sslyze O-Saft (OWASP) https://www.owasp.org/index.php/O-Saft