Use SSL they tell you, than your service is secure they tell you.

Thatís wrong.

Mostly.

Use secure SSL, than your service is secure.

Todayís mostly used SSL is broken. The reason is, RC4 is broken and that is mostly used by SSL active websites. Check your SSL used website about SSL Ciphers (in FF click on the secure bar logo) Ė you will see for example: RSA_RC4_128_SHA

That means the server uses RSA with RC4 and SHA 128. And that is broken.

But it is getting worse. The NSA is currently building the biggest spy center in the US to save any data they get. Why? It may be true that you canít break the current secure ciphers now, but what about later?

So what we need is a system which will remain secure in the future. PFS (Perfect-Forward-Secrecy) fulfills this requirement.

How does it work?

When two peers want to establish a TLS tunnel with PFS, after performing the server (or the mutual) authentication, they agree on an ephemeral session key.

The session keys are then used to encrypt the rest of the conversation (session). They are deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely; in other words, to prevent anyone else from learning these keys.

How do we enable it?

First: Use a long SSL Cert Key. We recommend to use RSA 4096 bits.

Also you realy should look foward to get TLS 1.2 active on your server (should be already supported by every unix on latest version)

Activate PFS

You will need Apache 2.3+ , earlier versions are not supporting PFS.

Replace (or add if applicable) the following configuration directives in your SSL module configuration file (most likely to be found in /etc/apache2/mods-enabled/ssl.conf).

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA

It is realy time to kill RC4, SSLv2 and SSLv3 for good reasons so use.

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA



How does it look later? Have a look at our billing system (SSL labs).

Notice on RC4:

Yes, in our config there is still RC4 available. This is for the people who use XP with IE6. And there are still a lot of XP machines out there, mostly in Africa and Asia.

Stupid stuff about RC4

You sometimes read stuff like deactivate RC4 (german link). Do not do that!

What happends after you disable RC4 support in your browser? You canít reach any SSL RC4-only supported website anymore. Thatís all. It does not make your browser safer or more secure. *

Even bad crypto is better than no crypto. And every actual browser handle, if the HonorCipher is active on the server, automaticly first PFS and if the browser does not support it he downgrades to RC4 (or other supported Ciphers).


* it only provides security if the server you try to reach supports other, more secure methods and they are on the HonorCipher list after RC4. Because then RC4 gets used first.