Matthew Ehle wrote:
I have recently implemented several new security features for the openSUSE forums, wikis, and blogs hosted in Provo: - TLS 1.2 is supported. On the client side, this version of TLS is supported by the latest version of IE and some mobile devices. For clients that do not support TLS 1.2, the server still prefers RC4 cipher suites as a mitigation to the BEAST exploit. - HTTP Strict Transport Security (HSTS) is set for 5 minutes on secure sessions. For supported clients, this prevents click through of SSL warnings and downgrade of secure sessions.
Very cool, thanks for adding all those features! The HSTS age should be at least in the order of magnitude of months though. It's purpose is to tell the browser to enforce https if the user visits a page again. That interval should be higher than the average holiday length I guess :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org