The Cipher Suite
Forward Secrecy ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session.
This means that when the private key gets compromised it cannot be used to decrypt recorded SSL traffic.
The cipher suites that provide Perfect Forward Secrecy are those that use an ephemeral form of the Diffie-Hellman key exchange. Their disadvantage is their overhead, which can be improved by using the elliptic curve variants.
The following two ciphersuites are recommended by me, and the latter by the Mozilla Foundation.
The recommended cipher suite:
The recommended cipher suite for backwards compatibility (IE6/WinXP):
If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite above and let OpenSSL pick the ones it supports.
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect forward secrecy.
Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL.
If your site can be accessed over HTTPS, then you may need to update older versions of AdSense ad code to avoid the AdSense script being blocked as mixed content. If your AdSense ad code has a script starting with “http://”, then you should update it to “https://” instead:
The HTTPS version of the ad code is also safe for HTTP pages; you don’t need to serve two different versions.
The SSL-compatible ad code also works on HTTP sites and doesn’t change how ads are served on these sites.
WordPress creator and Automattic founder Matt Mullenweg announced today that upcoming versions of the WordPress CMS would include features that would require hosts to support HTTPS.
Without providing any details on what these features are, Mullenweg said that it was time for the WordPress team to start pushing their followers to implement HTTPS for their sites.
WordPress.com already provides free HTTPS
WordPress is currently available as an open-source CMS provided by The WordPress Foundation, but also as a hosted blogging platform provided by Automattic.
In April 2016, Automattic announced free HTTPS for the majority of WordPress.com blogs via Let’s Encrypt, a joint EFF-Mozilla project that provides free SSL certificates for any site that wishes to support HTTPS.
Starting with early 2017, The WordPress Foundation, through its wordpress.org project, will start to promote hosting platforms that provide an SSL certificate for their clients.this is because future WordPress versions would “require hosts to have HTTPS available,” and the WordPress team would like to see as many hosting providers and clients start to migrate their sites to HTTPS in the meantime.