HTTP Strict Transport Security (HSTS)

All my sites on Futurequest Fail for the HTTP Strict Transport Security (HSTS) test at https://hstspreload.org/

When I try adding this to my .htaccess file:

<IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”
</IfModule>

The site crashes with a 500 Internal Server Error

What is the solution?

[Kevin]

Your quotes are not quotes. You probably copy pasted that code from somewhere that used UTF8 special characters to make them look fancy but they aren't quotes.

I tried again by loading the code at the top of the .htaccess file. The site does not crash anymore.

But it still fails the HTTP Strict Transport Security (HSTS) test.

In addition it says: Warning: Obsolete Cipher Suite The site is using obsolete TLS settings. Check out the site at https://www.ssllabs.com/ssltest/

Doing this second test, it gives me a grade B.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »
This server supports TLS 1.0 and TLS 1.1. Grade capped to B. MORE INFO »

I tested Futurequest.net, and it too fails the HTTP Strict Transport Security (HSTS) test at https://hstspreload.org/

Check it out here https://hstspreload.org/?domain=futurequest.net

Quote:

Originally Posted by Kevin

Your quotes are not quotes. You probably copy pasted that code from somewhere that used UTF8 special characters to make them look fancy but they aren't quotes.

[Grant]

I had the same basic question, HSTS looks like a good way to go.

[MarkW]

I'm also having issues related to security risks associated with obsolete/deprecated/weak TLS 1.0/1.1 and ciphers.

My client's IT security department is asking them to stop using the web application hosted here at FQ because of the potential risks/vulnerabilities - they also use ssllabs as one of their pentest tools.

With regard to the TLS 1.0 and 1.1, FQ says "This is something we could actually fix with a settings change. However, doing so would lock out user of older versions of Windows and iPhones. We have chosen to not make that change yet (it would apply to all sites so we can't make it an option in the CNC)."
I don't know which particular versions of Windows or iPhones (assume IOS versions) would be affected.

And with regard to Diffie-Hellman and Forward Secrecy, FQ says it intends to upgrade these but there is no target date.

I've relayed the above to my client and their IT security people. I'm not anticipating a positive (or even neutral) response.

Is anyone else in the same position with their clients and have some mitigation action/plan in place?

Mark

[KKC1]

We had to change the PCI Compliance settings to Secure the last time we renewed our software liability insurance and they weren't happy about that and warned next time they probably wouldn't renew the insurance unless FQ implements some changes.

[MarkW]

@KKC1 - Wow, that must have been an unwelcome headache and a future worry.

My client's security peeps have responded saying (politely, but firmly) that the web-app server is vulnerable to BEAST, POODLE, etc. and pointing me to their 'recommended' standards.

I have had to remove all my client's branding from their web-app!

As far as I can tell from my Google searches, TLS 1.2 seems to have been supported by browsers for at least 7 years - TLS Protocol Compatibility - so I don't know which browsers (of any consequence) would be locked out.

I feel the writing is already on the wall for keeping the web-app here. And I don't want to expose either my client or myself to the consequences of a successful attack.