Kwok with a Blog

The official blog belonging to Anthony Kwok

EOL TLS 1.0 and TLS 1.1

So for those who work in SOCs (Security Operation Centers) or develop/maintain webservers, you probably have heard that TLS 1.0 is going out of support this year.

According to the report by Portswigger Mozilla has confirmed that browser support for TLS (Transport Layer Security) 1.0 and 1.1 will end from March 2020. The move will not only apply to Firefox. Google Chrome, Microsoft Edge and Internet Explorer 11, and Apple’s Safari browser are all due to revoke support for TLS 1.0/1.1 by 2020. The agreement between Apple, Google, Microsoft, and Mozilla to retire support for these aging cryptographic protocols will likely be welcomed by web developers seeking a more secure internet.

Luckily for you, I have created some best practices for you when it comes to changing your TLS settings for your webserver.
Here are the TLS settings for Apache

# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

# Enable modern TLS cipher suites SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

# The order of cipher suites matters SSLHonorCipherOrder on

# Disable TLS compression SSLCompression off

# Necessary for Perfect Forward Secrecy (PFS) SSLSessionTickets off
Here are the TLS settings for Nginx
# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1
ssl_protocols TLSv1.2;

# Enable modern TLS cipher suites ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;

# The order of cipher suites matters ssl_prefer_server_ciphers on;
I will add settings for Windows, Postfix and Outlook later. Verify that your SSL settings are good enough by going to SSL_Labs. Make sure to add an HSTS header to get that A+ rating.

Most Realistic Customer Support

It was around 11pm when I uploaded all the files I needed to host my Github pages site. Around 2am, I made a PSA on my Snapchat story stating my site was finally live. Shortly after, a friend of mine sends me a DM asking me if I bought my domain name yet and if I hadn't, he'd buy it and then sell me it for an absurd amount. Luckily for me, I already bought the domain name but I forgot to park it in the settings of my Github repository. Thinking it was an error with my DNS settings, I use the live chat support system and what happened next was quite intriguing for someone who was deeply troubled at 3 in the morning. After stating my issue and verifying my account, I decide to break the norm and make colloquial conversation with the person helping me out.

Conversation with tech support

I'm writing this post because I rarely have feedback for situations like this because usually tech support can be scripted down and follows this routine where the client states their issue and tech support helps them with their issue. This is also the first time where I've received such friendly tech support. So, keeping my word to you, here is the second post for today. Thank you Margarita Krasnova for giving me a good laugh. It is truly marvelous what can happen at 3am.