A Pound of Security

Posted by Bjarni on November 23, 2013

The last couple of days we have been working a bit on improving how we communicate with our community. There are many facets to this, but central to all of it is our website - which until yesterday was only available as an unencrypted plain-text HTTP site, which is not the example we should set as a security-minded software project.

Upgrading to basic SSL was relatively straightforward:

Get a free SSL certificate from StartSSL. Install the Pound load balancer. Move our lighttpd server off port 80 and configure Pound to handle both ports 443 and 80, redirecting all insecure HTTP requests to HTTPS.

That was easy enough and that is where many webmasters would call it a day.

But not us... I solicited feedback from Twitter, asking how to improve the security. Sure enough, people pointed out that the default ciphers used by Pound aren't really up to modern security standards. I had been hoping someone would also send me a link to a simple how-to on how to harden the Pound SSL configuration, but no such luck; I had to figure it out myself. Oh well!

After doing a bit of research, I discovered that fixing the Pound SSL cipher list requires patching the daemon and rebuilding. Once I had patched, recompiled and installed the new Pound, I was able to configure it with the following sections and restart:

ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/mailpile_is.pem" # SSL Cipehr settings from here: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # Note: Line split for readability, remove linebreaks before use! Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256: ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES: RSA+3DES:!ADH:!AECDH:!MD5:!DSS" SSLHonorCipherOrder 1 Disable SSLv3 Disable SSLv2 Service BackEnd Address 127.0.0.1 Port 12345 End End End ListenHTTP Address 0.0.0.0 Port 80 Service Redirect "https://www.mailpile.is" End End

This sufficed to get us an "A" rating on SSLLabs.com. Mission accomplished!

But wait, there's more!

Since I prefer to use Debian package manager to keep track of all installed software, I wrote a script that builds a Debian packages with those patches. It looks a bit like this:

#!/bin/bash set -e # Download Pound and signature curl http://www.apsis.ch/pound/Pound-2.7.tgz >pound_2.7.orig.tar.gz curl http://www.apsis.ch/pound/Pound-2.7.asc >pound_2.7.orig.tar.gz.asc # Verify signature gpg --verify pound_2.7.orig.tar.gz.asc # Unpack rm -rf Pound-2.7 tar xvfz pound_2.7.orig.tar.gz cp -a pound-2.7-debian Pound-2.7/debian # Build it! cd Pound-2.7 debuild -us -uc cd .. # Cleanup rm -rf Pound-2.7

The magic is actually in the pound-2.7-debian folder, the contents of which you can download from here.

Hopefully these tips will help others secure their own websites. Thanks for reading!

Updated 2015-02-20: Moved to Pound 2.7, disabled SSLv3.