Daniel Micay on Twitter: "@mralanorth @internet_nl @ncsc_nl This is what we use for the GrapheneOS web servers: https://t.co/3pgOlxudvK If you don't care about supporting legacy clients including various bots, disable TLS 1.2. TLS 1.3 only has ECDHE. For email it's a bit different due to servers without DANE falling back to plain text." / Twitter

New Internet.nl version available with: 1. latest TLS guidelines from

2. Extended CSP test 3. Better support for non-mail domains 4. Extension of minimum cache period for HSTS en.internet.nl/article/new-re Happy testing! #moderninternet

Screenshot of 100% score on Internet.nl
#IPv6 #DNSSEC #HTTPS

read image description

ALT

6

49

62

Replying to

and

Today I learned that generating your own DH params is not recommended...? They recommend using pre-defined groups from RFC 7919.

1

Replying to

and

Correct, but for a website, you should probably disable DHE and other legacy ciphers. DHE is only useful for a website to support Internet Explorer when using RSA certificates since it only supports ECDHE with ECSDA certificates. Use ECDSA certificate and ECDHE works fine for it.

2

Replying to

This is what we use for the GrapheneOS web servers: github.com/GrapheneOS/gra If you don't care about supporting legacy clients including various bots, disable TLS 1.2. TLS 1.3 only has ECDHE. For email it's a bit different due to servers without DANE falling back to plain text.

github.com

grapheneos.org/nginx.conf at aae0ac8edf404d47c664506e26f8a23e8a36f01d · GrapheneOS/grapheneos.org

Main website servers. Contribute to GrapheneOS/grapheneos.org development by creating an account on GitHub.

11:21 AM · Mar 19, 2021Twitter Web App

Replying to

Our solution to that email server issue is disabling support for unencrypted connections. That's obviously not something most people would accept since they would be concerned about missing emails. For us, we're more than happy to reject mail from broken / insecure mail servers.

3

Conversation