DNS Certification Authority Authorization (CAA) Policy as well as
DNSSEC has been set up for whonix.org by @mig5.
We also have the Expect-CT header, and more importantly, we are now running certspotter to monitor the public Certificate Transparency Logs for any unexpected issuing of whonix.org SSL certificates that were not made by us.
Our website got B as our SSL seems to support alot of weak Diffie-Hellman key exchange parameters
B for: 126.96.36.199
A+ for: 2001:41d0:2:7d51:0:0:0:0
but it has problems as well such as:
Thanks for bringing this to my attention. Fortunately it only affected the whonix.org ‘stub’ entry point, which these days doesn’t serve anything except a redirect to www.whonix.org (where all ‘real’ traffic goes), and which was not affected (still A+).
Not concerned much about the reported weak ciphers, browser would have to be targeted with a MITM + downgrade attack which is probably mitigated in other ways, and not all browsers may be able to handle the stronger ciphers (but most modern browsers will favour the stronger ones anyway)
TLS 1.1 and CBC cipher considered weak now better to be deprecated for security reasons:
Also now TLS 1.3 available with Lets Encrypt, is it good idea to support it ?