Helpful sites for SSL Connections
I’m still of the opinion that not everything needs to be encrypted. It sets up artificial barriers for very basic sites. SSL just is not that easy to setup even now.
That said, it’s not bad to have it especially if you’re going to take input from users. So, if you’re going to do it. Do it right and make use of these handy sites to help get it right.
First off, there’s Let’s Encrypt which you’ve probably heard of already. Use it, there’s really not point paying for a certificate unless you’re doing e-commerce and want a green lock on your site. Let’s Encrypt is straight forward and easy too. A word of caution, their setup script can easily sort out server configuration too. If you’ve had a previous SSL set up you may want to opt for just a certificate and handle the config yourself.
Next, checkout Qualys’ SSL Test. It takes a minute or two but if gives you some great insight. You don’t have to get a perfect score and getting just an A score shouldn’t be too hard. Still, many things to help get a higher score are easy wins.
And one of the best way to tick off those easy wins is go head over to Mozilla’s SSL configuration generator. You just need to tell it your software, their versions and how strict you want to be and it should give you an almost straight copy / paste block of config. You should just have to adjust the paths to your files (and if you’re using Let’s Encrypt the things you want will likely be in /etc/letsencrypt/live/<hostname>/
) and restart the server.
I understand why Let’s Encrypt may give some very safe options as having a more “modern” set up could block browsers such as Internet Explorer 11. This is perfectly fine unless of course your target demographic may be more likely to be far behind the current trends. But, it would be nice if we could some how get something like the Mozilla SSL configuration done automatically as part of the Let’s Encrypt set up or at least have it spit out a file with the necessary config for people to just copy / paste. Most people will never care or understand what a Diffie Hellman key exchange is or why OCSP stapling should be enabled so we need to make these things happen seamlessly without them even knowing.