Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More secure SSL Certificate on Heroku Common Runtime #314

Open
ombr opened this issue Sep 26, 2024 · 4 comments
Open

More secure SSL Certificate on Heroku Common Runtime #314

ombr opened this issue Sep 26, 2024 · 4 comments
Assignees
@elimchaysengSF
Labels
Runtime

Comments

@ombr
Copy link

ombr commented Sep 26, 2024

We recently conducted an SSL test for our application running on the Heroku common runtime, where Heroku manages the certificates. The test results showed that our certificates are currently rated as B. You can view the full report here: https://www.ssllabs.com/ssltest/analyze.html?d=app.sharinpix.com

Given the importance of security, we believe Heroku should aim to be "secure by default," even on the common runtime. We would greatly appreciate any improvements you can make in this area.

Thank you.
@capeterson
Copy link
Collaborator

@ombr Looking into this while @elimchaysengSF is out of office. It looks like the issue is specific to IE11 on pre-windows10 platforms - that we have forward security compatible cipers for all their other reference browsers listed.

Given that Windows 7/8 are EOL for most users I'm curious how much of an impact this is actually having on you - is the issue just that your customers don't like seeing the B grade on SSL labs, or do your analytics show that you still have a material cohort of IE11 Win7/8 users using your app?

@ombr
Copy link
Author

ombr commented Oct 2, 2024

Hi @capeterson,

The issue we have is our customers saying our application is not secure as it has a B grade on SSL Labs.

Thanks.

Luc

@ombr
Copy link
Author

ombr commented Oct 3, 2024

Hi @capeterson,

This is part of the message we received from our client:

The cybersecurity team has raised the concern that "These ciphers use RSA key exchange, which lacks forward secrecy and poses potential security risks. We recommend disabling these RSA-based cipher suites."

Thanks.

Luc

@capeterson
Copy link
Collaborator

@ombr looking into this a bit more I wanted to call out that the only situation where Heroku isn't using a forward-secrecy enabled key exchange is for internet explorer 11 on Windows 7 and Windows 8.1 (and Windows phone, which I forgot was a thing since it's been dead so long), all of which are "end of support" from Microsoft. On supported versions of Windows (i.e. Win10) there is a supported forward secrecy cipher.

In the interim, I'd encourage you to make sure your customers know this concern only applies to using IE11 on unsupported versions of Windows, and that otherwise Heroku's certs are fully forward-secrecy compatible.

We'll take a look at if there's a way to tweak our supported cipher suites to add a DH enabled key exchange for these old windows versions, but given the clients here are already unsupported and (I'm guessing) likely to be dropped by SSL labs testing at some point soon-ish I'm not sure how much effort it would really be wise for us to spend here if it's not "fairly easy".

@elimchaysengSF I'll leave this with you and the networking team to look into effort when you can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elimchaysengSF elimchaysengSF

Labels
Runtime
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@capeterson @ombr @elimchaysengSF