2
edits
Talk:Security/Server Side TLS: Difference between revisions
Jump to navigation
Jump to search
Further discussion on IIS
(→IIS) |
(Further discussion on IIS) |
||
| Line 6: | Line 6: | ||
Is there a particular reason there are no recommendations present for secure SSL/TLS configuration of IIS servers? This page is a fantastic resource for web server administrators maintaining HTTPS configurations but the omission of any IIS guidance seems quite significant given its prevalence. I'd be happy to create some draft guidance for community review for inclusion if this is desirable. Apologies if there's a specific obvious reason I've missed. [[User:Sdl|ralish]] ([[User talk:Sdl|talk]]) | Is there a particular reason there are no recommendations present for secure SSL/TLS configuration of IIS servers? This page is a fantastic resource for web server administrators maintaining HTTPS configurations but the omission of any IIS guidance seems quite significant given its prevalence. I'd be happy to create some draft guidance for community review for inclusion if this is desirable. Apologies if there's a specific obvious reason I've missed. [[User:Sdl|ralish]] ([[User talk:Sdl|talk]]) | ||
=== ulfr, 20140424 === | |||
It's simple really: as far as I know, we don't use IIS for SSL termination. If we did, we would have a recommendation for it. My concern about adding an IIS section is finding someone committed to maintaining it, because I have no idea what the right way of configuring windows services is. | It's simple really: as far as I know, we don't use IIS for SSL termination. If we did, we would have a recommendation for it. My concern about adding an IIS section is finding someone committed to maintaining it, because I have no idea what the right way of configuring windows services is. | ||
=== sdl, 20140426 === | |||
A key part of the merit question for me depends on the primary purpose of the page: is it primarily a guide for TLS configuration of Mozilla sites (for the Ops teams that run them), with its value for non-Mozilla staff more incidental due to the public nature of Mozilla, or is the providing of quality guidance on TLS configurations for any and all also a primary goal? If the latter, IIS seems worthwhile, if the former, much less so unless Mozilla starts using IIS servers at some point. As for maintaining it, I'd be happy to volunteer, but only on a best-effort basis. That being said, updates should be relatively infrequent as IIS features are largely pinned to Windows releases. So guidance would typically change in response to either new IIS versions introducing new security features or new TLS attacks resulting in recommended changes to mitigate (as in the case of BEAST, CRIME, etc...). | |||
== RC4 == | == RC4 == | ||