Changes

Jump to: navigation, search

Security/Server Side TLS

124 bytes added, 15:55, 22 July 2020
Update certificate lifespans
* TLS curves: '''X25519, prime256v1, secp384r1'''
* HSTS: '''max-age=63072000''' (two years)
* Maximum certificate Certificate lifespan: '''90 days'''
* Cipher preference: '''client chooses'''
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
** We recommend ECDSA certificates using P-256, as P-384 provides negligable negligible improvements to security and Ed25519 is not yet widely supported
== <span style="color:orange;">'''Intermediate'''</span> compatibility (recommended) ==
* DH parameter size: '''2048''' (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])
* HSTS: '''max-age=63072000''' (two years)
* Maximum certificate Certificate lifespan: '''90 days''' (recommended) to '''2 years366 days'''
* Cipher preference: '''client chooses'''
* DH parameter size: '''1024''' (generated with <tt>openssl dhparam 1024</tt>)
* HSTS: '''max-age=63072000''' (two years)
* Maximum certificate Certificate lifespan: '''90 days''' (recommended) to '''2 years366 days'''
* Cipher preference: '''server chooses'''
! Editor
! Changes
|-
| style="text-align: center;" | 5.5
| style="text-align: center;" | April King
| Update certificate lifespan to reflect browser policy changes
|-
| style="text-align: center;" | 5.3
Antispam, confirm
97
edits

Navigation menu