So, I have enabled https on all our sites at Molly Rocket. I hate the web and I hate Apache and I hate everything, so it all sucks but I do want to ask the basic due diligence question for those of you who know web things: what should I do for Apache configuration regarding HTTPS security?
I have found that if I do the recommended protocol removals (nothing below SSL 3, etc.), then the site is not accessible from most Android devices. Basically only the very newest Android devices can connect. This doesn't seem desirable for a site such as, you know, handmadehero.org which is not meant to handle super-sensitive information anyway?
So I am wondering if there is a recommended set of things to do for a website which wants to be reasonably good for secure use, but doesn't want to become inaccessible to a lot of people.
Etc., etc.
- Casey
I have found that if I do the recommended protocol removals (nothing below SSL 3, etc.), then the site is not accessible from most Android devices. Basically only the very newest Android devices can connect. This doesn't seem desirable for a site such as, you know, handmadehero.org which is not meant to handle super-sensitive information anyway?
So I am wondering if there is a recommended set of things to do for a website which wants to be reasonably good for secure use, but doesn't want to become inaccessible to a lot of people.
Etc., etc.
- Casey
I'm sorry I don't have a specific answer for you but between
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl config generator by mozilla
and
https://www.ssllabs.com, which inspects your SSL config on your site and shows you what devices work vs not, I've generally been able to figure out a good balance and make sure the devices I want to work continues to work.
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl config generator by mozilla
and
https://www.ssllabs.com, which inspects your SSL config on your site and shows you what devices work vs not, I've generally been able to figure out a good balance and make sure the devices I want to work continues to work.
Unfortunately there isn't any secure TLS configuration that would allow older Android's to connect.
How old Androids are we talking here? I would think that anything under Android 4.x is not worth bothering with.
TLS is really that broken.
How old Androids are we talking here? I would think that anything under Android 4.x is not worth bothering with.
TLS is really that broken.
Yep. As Mārtiņš has pointed out - the only currently secure versions are TLS 1.1 and above, so if you want to be secure you need to disable anything lower then that.
Unfortunately TLS 1.1 and 1.2 are not enabled by default on a lot older browsers and devices (< IE10, < Android 5.0).
Unfortunately TLS 1.1 and 1.2 are not enabled by default on a lot older browsers and devices (< IE10, < Android 5.0).
Edited by James Hull
on
It looks like Android 4.x is OK as a minimum platform, perhaps:
http://www.statista.com/statistic...n-mobile-devices-with-android-os/
But testing via BrowserStack, when I hardened Apache's protocol set with the usual rec's, none of the 4.x devices could see the site anymore :( So I'm wondering what they actually support?
(And similarly, if you look at that Mozilla configurator page thingee, it seems to jump right from Android 2.x to Android 5.x - there's no "supports 4 but not 2 and 3" button that I can see?)
- Casey
http://www.statista.com/statistic...n-mobile-devices-with-android-os/
But testing via BrowserStack, when I hardened Apache's protocol set with the usual rec's, none of the 4.x devices could see the site anymore :( So I'm wondering what they actually support?
(And similarly, if you look at that Mozilla configurator page thingee, it seems to jump right from Android 2.x to Android 5.x - there's no "supports 4 but not 2 and 3" button that I can see?)
- Casey
Edited by Casey Muratori
on
According to the Android documentation TLS 1.1 is supported on API level 16+ (4.1–4.3.1) but not enabled by default until API level 20 (4.4+)
https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
https://developer.android.com/reference/javax/net/ssl/SSLSocket.html