Fork me on GitHub

A Pound of Security

Posted by Bjarni on November 23, 2013

The last couple of days we have been working a bit on improving how we communicate with our community. There are many facets to this, but central to all of it is our website - which until yesterday was only available as an unencrypted plain-text HTTP site, which is not the example we should set as a security-minded software project.

Upgrading to basic SSL was relatively straightforward:

  1. Get a free SSL certificate from StartSSL.
  2. Install the Pound load balancer.
  3. Move our lighttpd server off port 80 and configure Pound to handle both ports 443 and 80, redirecting all insecure HTTP requests to HTTPS.

That was easy enough and that is where many webmasters would call it a day.

But not us... I solicited feedback from Twitter, asking how to improve the security. Sure enough, people pointed out that the default ciphers used by Pound aren't really up to modern security standards. I had been hoping someone would also send me a link to a simple how-to on how to harden the Pound SSL configuration, but no such luck; I had to figure it out myself. Oh well!

After doing a bit of research, I discovered that fixing the Pound SSL cipher list requires patching the daemon and rebuilding. Once I had patched, recompiled and installed the new Pound, I was able to configure it with the following sections and restart:

ListenHTTPS
    Address 0.0.0.0
    Port    443
    Cert    "/etc/pound/mailpile_is.pem"

    # SSL Cipehr settings from here:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

    # Note: Line split for readability, remove linebreaks before use!
    Ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
             ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:
             RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
    SSLHonorCipherOrder 1
    Disable SSLv3
    Disable SSLv2

    Service
            BackEnd
                    Address 127.0.0.1
                    Port    12345
            End
    End
End
ListenHTTP
    Address 0.0.0.0
    Port    80
    Service
        Redirect "https://www.mailpile.is"
    End
End

This sufficed to get us an "A" rating on SSLLabs.com. Mission accomplished!

But wait, there's more!

Since I prefer to use Debian package manager to keep track of all installed software, I wrote a script that builds a Debian packages with those patches. It looks a bit like this:

#!/bin/bash
set -e

# Download Pound and signature
curl http://www.apsis.ch/pound/Pound-2.7.tgz >pound_2.7.orig.tar.gz
curl http://www.apsis.ch/pound/Pound-2.7.asc >pound_2.7.orig.tar.gz.asc

# Verify signature
gpg --verify pound_2.7.orig.tar.gz.asc

# Unpack
rm -rf Pound-2.7
tar xvfz pound_2.7.orig.tar.gz
cp -a pound-2.7-debian Pound-2.7/debian

# Build it!
cd Pound-2.7
debuild -us -uc
cd ..

# Cleanup
rm -rf Pound-2.7

The magic is actually in the pound-2.7-debian folder, the contents of which you can download from here.

Hopefully these tips will help others secure their own websites. Thanks for reading!

Updated 2015-02-20: Moved to Pound 2.7, disabled SSLv3.



top