Dropping Windows XP for Better Transport Security

09 Nov 2013 by ggreer


If you still use Windows XP, you might have some trouble visiting Floobits.com.

That’s because we’ve changed our cipher suites. As of today, we only use strong ciphers that provide perfect forward secrecy. Unfortunately, some older browsers and operating systems don’t support any ciphers that meet those criteria. That includes all versions of Internet Explorer on Windows XP.

Deciding on a list of cipher suites isn’t easy. While some are very secure, only newer versions of OpenSSL and browsers support them. The tradeoff between compatibility and security is bad enough, but there are additional complications. For example, only the RC4 cipher can mitigate BEAST attacks against older clients. Unfortunately, RC4 is very weak.

In the end, we chose security in modern browsers over compatibility with older browsers. If you’d like to configure your site similarly, here’s the relevant snippet of our Apache web server config:

# Disable SSLv2 and v3
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
# Avoid insecure ciphers and support perfect forward secrecy
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

SSL Labs has a great tool for testing HTTPS. Compare your results to ours.

If you’d like to know more about our security practices, check out our security page.


About the Author

I’m Geoff Greer, CEO & co-founder of Floobits.

About Floobits

Floobits lets you collaborate on code like you're in the same room. Think Etherpad or Google Docs, but in Sublime Text, Vim, Emacs, or IntelliJ.

If you're interested, sign up.