IT notes

ciphers supported

List ciphers supported by an HTTP server: nmap --script ssl-enum-ciphers -p 443 www.nbari.com Example of output: PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 9.

Upgrade Insecure Requests

The “Upgrade Insecure Requests” Content Security Policy can be used to automatically upgrade insecure (e.g. http:) requests to a secure alternative (e.g. https:) before a browser fetches them. In practice, this helps avoid mixed-content warnings when a page is accessed via https:, but it contains references to resources using absolute http: URLs. Like other Content Security Policies, the recommend approach is to enable it via a HTTP response header: Content-Security-Policy: upgrade-insecure-requests Nginx example:

HSTS

http://… will change to https://… If you own a site that you would like to see included in the preloaded HSTS list you can submit it at https://hstspreload.appspot.com. verify HTTP Strict Transport Security (HSTS) header with curl $ curl -Is https://google.com | grep -i stric Strict-Transport-Security: max-age=15552000; includeSubDomains Remove domain from chrome Search for the domain in: chrome://net-internals/#hsts and delete it. HTTP Strict Transport Security The issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of the time.