As you may have noticed, over the last month or so, both this site and Portcullis Labs have moved from being accessible over plain-text HTTP to only being accessible over HTTPS. In doing so, Portcullis are acknowledging that not only are your personal details important to us, but that the days of being able to trust what your browser downloads are fast disappearing.
In doing so, we’re making use of the HTTP Strict Transport Security HTTP header to force your browser only to connect to our sites using SSL. This header essentially (sent once to your browser, on first connection) effectively tells supporting browsers never again to visit the plain-text HTTP version of the site and in future only to connect over HTTPS.
Those of you that are of a curious disposition may well have checked our cipher support and observed that whilst we’re following our own current good practice around the cipher suites we support, that we have some room for improvement, notably with respect to:
As we noted on the labs blog before Christmas, we’ll be moving to recommend disabling both RC4 based cipher suites and ephemeral ciphers in April, so we thought we’d take this opportunity to talk you through our internal risk management process.
Although in an ideal world we would like to follow our own recommendation it isn’t always that simple. Whilst internally, such a move would prove popular, we will of course need to continue allowing clients who may have older browsers to connect and view our content. To aid in our decision making process, we’ve therefore taken the step to begin logging the cipher suites with which people access our sites, to give us better visibility of how switching off legacy support will affect you.
To be clear, whilst we believe our current and future good practice guidance on SSL is a standard to which all of us should aspire, we are conscious that business requirements will often weigh against and that a mature risk management process is about finding the right balance for a given situation.
Come and join Portcullis’ own Linkedin group, The Portcullis Arms.