[jitsi-dev] Improving meet.jit.si SSL score


#1

Hi Developers,

https://www.ssllabs.com/ssltest/analyze.html?d=meet.jit.si
An A- is good but with a couple configuration updates to your nginx,
you can bump it up to A+

0. Enable Strict Transport Security (HSTS) [0]
This tells the browser that meet.jit.si will have an SSL certificate
for AT least a certain amount of time. This way if someone is trying
to do a MITM, the browser will throw up a warning.
This line can be added:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

1. Session resumption (caching) [1]

You can add these lines:
ssl_session_timeout 5m; keepalive=20sec; connection close=session expires
ssl_session_cache shared:SSL:50m;

2. Forward Secrecy [2]
In cryptography, forward secrecy is a property of key-agreement
protocols ensuring that a session key derived from a set of long-term
keys cannot be compromised if one of the long-term keys is compromised
in the future.

Practicing the best security with the least amount of inconvenience to
your users will show everyone, again, that Jitsi cares about privacy
and security.

Best,
jungle

[0] http://tools.ietf.org/html/rfc6797
[1] https://tools.ietf.org/html/rfc5077
[2] http://www.ietf.org/rfc/rfc2409.txt

···

--
-------
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#2

Hi jungle,

I'll work on that, thanks for noticing!

Best regards,

···

On Thu, 1 May 2014 22:18:56 -0700 jungleboogie0 wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=meet.jit.si
An A- is good but with a couple configuration updates to your nginx,
you can bump it up to A+

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#3

Jit.si could also be improved, but I can't tell you how. Maybe jungle
can help there as well?

Jit.si gets C for both c2s and s2s.
https://xmpp.net/result.php?domain=jit.si&type=client
https://xmpp.net/result.php?domain=jit.si&type=server

Regards,
Philipp

···

On Fri, 2 May 2014 11:17:27 +0300 Yasen Pramatarov <yasen@bluejimp.com> wrote:

On Thu, 1 May 2014 22:18:56 -0700 jungleboogie0 wrote:

>https://www.ssllabs.com/ssltest/analyze.html?d=meet.jit.si
>An A- is good but with a couple configuration updates to your nginx,
>you can bump it up to A+

Hi jungle,

I'll work on that, thanks for noticing!

Best regards,


#4

Hi Philipp,

···

--------------------------------------------------------
From: Philipp Überbacher <murks@tuxfamily.org>
Sent: Fri, 2 May 2014 10:30:53 +0200
To: Jitsi Developers
Subject: Re: [jitsi-dev] Improving meet.jit.si SSL score

Jit.si could also be improved, but I can't tell you how. Maybe jungle
can help there as well?

Jit.si gets C for both c2s and s2s.
https://xmpp.net/result.php?domain=jit.si&type=client
https://xmpp.net/result.php?domain=jit.si&type=server

Regards,
Philipp

Well its getting at least a B because jit.si doesn't use TLS 1.2 and both
client and server are still supporting SSLv3.

I don't know if openfire can support TLS 1.2 as per Eugen Dahm:
http://issues.igniterealtime.org/browse/OF-636
and
https://bugzilla.redhat.com/show_bug.cgi?id=1022017
as it looks like a known issue with JDK 7

But the weak and very weak ciphers could definitely be disabled to improve
the security.

This xmpp provider is using far less ciphers and they are on not using TLS
1.2 but all categorizes are very high:
https://xmpp.net/result.php?domain=dukgo.com&type=client

--
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si