â–Ľ
Streaming live at 10am (PST)

Weak Diffie-Hellman key exchange parameters - SSL Certs generated by letsencrypt can be more secure


#1

Webflow uses letsencrypt to generate SSL certs, and that is great, however an issue with the configuration of the Webflow servers hosting the certificate/site. The device (server, load balancer, whatever it is) that terminates SSL in the Webflow environment needs to be updated to remove the older, less secure DH key.

I've sent an email to support and got a pretty weak response from support:

"I spoke with out CTO to confirm, and this shouldn't affect your site's security. If you are curious to know the technical details you can visit https://letsencrypt.org/. We go through this company for our SSL certifications and they can provide more information around this than we can. "

Here is a screenshot of the "B" Grade that ALL webflow sites using SSL will get because webflow's server supports weak Diffie-Hellman key exchange parameters:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
More information about this and the possible security problems it poses:
https://weakdh.org/

A guide for webflow to fix the issue:
https://weakdh.org/sysadmin.html

My reason for posting this is so that others who care about security can make some noise and force webflow to update their server settings so we can all be up to date and not vulnerable.


#2

I got another email from webflow support, and they are planning on fixing this issue:

"Thanks for sharing the information. We've filed a ticket and will work top update our SSL servers immediately.

If you're worried about older browsers and Man in middle attacks with your Webflow site, I would recommend hosting your site externally for the time being while we get this patched."

Thank you webflow! :smiley:


#3

Hey @mastermindesign, did you ever get any updates on this?

@webflow, is this still something that’s being looked into? My larger clients may not stick with Webflow if they notice this limitation…


#5

Hi @quarshcreative,

Weblflow supports browser clients which only have TLS 1.0 support, however, we will not downgrade to TLS 1.0 for modern browser clients.

For modern browsers, we default to TLS 1.2 (specifically TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).

Most major websites (ie: google) do this as well (including health insurance companies such as Blue Shield and Humana.)

When there are updates to SSL, those will be announced on our updates page: https://webflow.com/updates.

I hope this helps