Full disclosure: I'm largely ignorant on web security matters. I'm a self-taught webmaster, and I manage lifering.org, a WordPress site, as a volunteer for Lifering Secular Recovery. We would like to make the site HTTPS, but my attempts to bring it up always give me an error that I'm still using TLS 1.0. I know enough to know that won't do. I also know that when we renewed our security certificate, we bought a SHA-2 certificate with 256 bit encryption. Poking around, I found a site, https://www.ssllabs.com/ssltest/analyze.html, which analyzed lifering.org and gave it an F. You can see the detailed analysis by entering the domain on that site, but in summary, it said the certificate is golden, BUT the site has these failings:
- It doesn't support forward secrecy with all browsers.
- It accepts the RC4 cipher, but only with older protocol versions.
- It doesn't support TLS 1.2, only older protocols (1.1 is highest supported).
- It supports weak Diffie-Hellman key exchange parameters (logjam).
- It supports 512 bit export suites and may be vulnerable to FREAK attacks.
I need to know how to fix these things. Is this an Apache configuration issue, or what? I'd normally ask my ISP for help, but we have a virtual server hosted by GoDaddy, which means we get zero technical support unless we pay them fees we can't (as a small nonprofit) afford. Fortunately I have enough Unix background to be able to deal with an SSH shell, but I don't know what to do, or where to do it.
No comments:
Post a Comment