At the very least modern websites should be using HTTPS by default with any traffic on HTTP redirected to HTTPS, this ensures traffic in transit is encrypted from 3rd parties prying eyes. The next step is ensuring that the SSL certificate along with the web server it sits on is configured correctly from a security perspective ensuring any well known backdoors are addressed.
The Qualys SSL Server tool is an excellent free tool that grades the quality of your SSL configuration that also identifies any areas that need to be addressed.
Qualys SSL Checker Tool
The Qualys SSL tool is here https://www.ssllabs.com/ssltest/index.html
To run the tool simply enter your domain and tick the "Do not show the results on the boards" then submit
Allow 5 minutes for the tool to be ran and the results to be returned
As you can see from the results above, the site grade has been capped to a B because the server does support Forward Secrecy with the reference browsers, further information is available here;
Tighten up the security
SSH to your apache web server and edit the ssl.conf file (This file could also be located at /etc/httpd/conf.d/ssl.conf)
sudo vi /etc/apache2/mods-enabled/ssl.confEdit the following lines so that SSL and TLSv1 and TLSv1.1 are disabled;
SSLProtocol -SSLv3 -TLSv1 -TLSv1.1Update the following lines to enable Forward Secrecy
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"Restart Apache
sudo service apache2 restartVerify the site is still accessible on HTTPS
Click Clear Cache which will rerun the Qualys SSL checker and should hopefully have now upgraded your grade to an A (Unless other issues exist with your configuration)
This looks a lot healthier but to get A+ you need to enable HTTP Strict Transport Security (HSTS) which means that when a compatible HSTS browser contacts a HSTS enabled web server, it looks for a special HTTP header. This header states that the web client should only ever talk to the server over a HTTPS connection and a max age is also configured to state the site should only be accessed over HTTPS for at least that time.
**Please ensure your full site works purely on HTTPS before proceeding with enabling this**
To configure this;
Enable the apache headers module
sudo a2enmod headersEdit the virtual host configuration file
sudo vi /etc/apache2/sites-enabled/000-default.confUpdate the virtual host settings, i would suggest testing the max-age very low (i.e. an hour) in case of HTTPS configuration issues but for production this is set to a minimum of 6 months to a year, the example below sets it for 6 months
<VirtualHost *:443>
....
Header always set Strict-Transport-Security "max-age=15780000; includeSubDomains"Run a apache configration test before restarting
sudo apachectl configtestIf Synatax is ok, restart apache
sudo service apache2 restartVerify the site and image are all still accessible on HTTPS
Click Clear Cache which will rerun the Qualys SSL checker and should hopefully have now upgraded your configuration grade to an A+
