>>>> Ludwig Nussel <ludwig.nussel@suse.de> 11/27/2012 2:37 AM >>>
>Matthew Ehle wrote:
>> I have recently implemented several new security features for the openSUSE
>> forums, wikis, and blogs hosted in Provo:
>> - TLS 1.2 is supported. On the client side, this version of TLS is supported by
>> the latest version of IE and some mobile devices. For clients that do not
>> support TLS 1.2, the server still prefers RC4 cipher suites as a mitigation to
>> the BEAST exploit.
>> - HTTP Strict Transport Security (HSTS) is set for 5 minutes on secure
>> sessions. For supported clients, this prevents click through of SSL warnings
>> and downgrade of secure sessions.
>
>Very cool, thanks for adding all those features! The HSTS age should be
>at least in the order of magnitude of months though. It's purpose is to
>tell the browser to enforce https if the user visits a page again. That
>interval should be higher than the average holiday length I guess :-)
You brought up a good point. The reason that the age is 5 minutes right now
is so that if we have any SSL related issues, we can turn it off and let the clients
downgrade relatively quickly. When we are sure that it's working well, I'll turn
that max age up.
Since only authenticated users need to use HTTPS, I'm thinking that I'll probably set it
for as long as the session is valid (~8 hours). That way, if they come back the next
day as a public user, we aren't forcing them to SSL for no reason. I should mention
that this header is sent on every HTTPS response, so the max age is reset every time
you request a page.
-Matt