Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 3 of 3 total
Thread Webserver for EWB 3.0
Wed, Sep 5 2018 10:18 AMPermanent Link

Ronald

Hi,

Here in the Netherlands we have a platform where one can test a domain for security. I tested my domain with the EWB server. It scored high, but there were two problems:

1. The EWB server does not have a  HSTS-policy. This is a header that the server must send in the serverresponse in order to force the client to use https and not http.   

2. The server allows client-initiated renegotiation. I read that this was not a security issue, but that it made the server vulnerable for DDOS attacks.

Does EWB3 server handle this? Maybe it can be made possible to add standard headers to every response.

Greetings,
Ronald
Thu, Sep 6 2018 3:57 AMPermanent Link

Ronald

Ronald wrote:
<
Does EWB3 server handle this? Maybe it can be made possible to add standard headers to every response.
>

I must admit that I have Stunnel fro https running on my server.
Wed, Sep 12 2018 11:40 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Ronald,

<< 1. The EWB server does not have a  HSTS-policy. This is a header that the server must send in the serverresponse in order to force the client to use https and not http. >>

There isn't an option in the EWB 3 Web Server for HSTS, but I can certainly add one.

<< 2. The server allows client-initiated renegotiation. I read that this was not a security issue, but that it made the server vulnerable for DDOS attacks. >>

This is handled by Stunnel, so doesn't really apply to EWB directly.  For Stunnel, here are the most recent settings that we're using that get an "A" grade in SSL/TLS test suites like Qualys:

https://www.ssllabs.com/ssltest/

STunnel Config:

options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1

ciphers = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4

renegotiation = no

Tim Young
Elevate Software
www.elevatesoft.com
Image