DNS Certification Authority Authorization (CAA) Policy / DNSSEC for whonix.org / ssllabs.com test results



DNS Certification Authority Authorization (CAA) Policy as well as DNSSEC has been set up for whonix.org by @mig5.



We also have the Expect-CT header, and more importantly, we are now running certspotter to monitor the public Certificate Transparency Logs for any unexpected issuing of whonix.org SSL certificates that were not made by us.


Our website got B as our SSL seems to support alot of weak Diffie-Hellman key exchange parameters

B for:

A+ for: 2001:41d0:2:7d51:0:0:0:0

but it has problems as well such as:

Content-Security-Policy now deployed on Whonix websites

Thanks for bringing this to my attention. Fortunately it only affected the whonix.org ‘stub’ entry point, which these days doesn’t serve anything except a redirect to www.whonix.org (where all ‘real’ traffic goes), and which was not affected (still A+).

Fixed for the whonix.org stub which was lacking a couple of ssl parameters in its vhost that the www.whonix.org vhost had.

Not concerned much about the reported weak ciphers, browser would have to be targeted with a MITM + downgrade attack which is probably mitigated in other ways, and not all browsers may be able to handle the stronger ciphers (but most modern browsers will favour the stronger ones anyway)