As always security is a main concern in our network. We have updated a couple services already and are in the process of updating a few more services currently.
First we have updated NGINX (our webserver) with a few additional modules which will allow us to do a few more optimizations.
We have also increased the SSL security levels. There are some downsides to this. However we believe the upsides outway the downsides.
Cons:
- Support for IE6 on XP SSL connections have been removed completely.
- Support for Java6 SSL connections have been removed completely.
- Support for YandexBot 3.0 SSL connections have been removed completely.
Note: The above were already not supported as none of them support SNI (Server Name Indication). SNI is how SSL connections are defined by domain names rather than IPs. Since our network serve SSL connections based upon Domain names primarily and IPs secondary. Thus the support for the above methods of viewing a SSL site were spotty at best.
Pros:
- SSL Security score went from 90% to 96.25%, a 6.25% increase.
- Encryption Speed has been increased.
- SSL connections now have a subsidiary encryption which helps even more against MITM attacks.
- Possible BEAST exploit has been removed completely.
- Possible Lucky Thirteen exploit has been removed completely.
- Possible CRIME exploit has been removed completely.
Note: Above exploits above were possible due to Encryption methods which were available in the server to support the above methods of a SSL connection. With these removed the possible exploits are removed as well.