Tips to Make Your SSL Secure
As SSL technology evolves and changes, new vulnerabilities begin to cause problems. Secure socket layer (SSL) technology has changed in recent years, and new vulnerabilities have also been discovered. This tip explores the new SSL security landscape and outlines emerging security issues. Read on to learn the latest on these SSL security issues and steps companies can take to overcome them and implement SSL securely:
The SSL certificate
The SSL certificate is a key component of SSL security and indicates to users that the website can be trusted. With this in mind, it must be obtained from a reliable certificate authority (CA) — the larger the market share the better, as that means there is less chance the certificate will be revoked. Organizations should not rely on self-signed certificates. The certificate should ideally use the SHA-2 hashing algorithm, as there are currently no known vulnerabilities in this algorithm.
Extended validation (EV) certificates provide another means of increasing trust in the security of the website. Most browsers show websites that have EV certificates in a safe green color, providing a strong visual clue to end users that the website can be considered safe to use.
Disable support for weak ciphers
Almost all web servers support strong (128 bit) or very strong (256 bit) encryption ciphers, but many also support weak encryption, which can be exploited by hackers to compromise your enterprise network security. There is no reason to support weak ciphers, and they can be disabled in a couple of minutes by configuring your server with a line like:
Make sure your server doesn’t support insecure renegotiation
The SSL and TLS Authentication Gap vulnerability allows a man-in-the-middle to use renegotiation to inject arbitrary content into an encrypted data stream. Most major vendors have issued patches for this vulnerability, so if you have not already done so make it a priority to implement secure renegotiation or disable insecure renegotiation (making any necessary changes to your site) at the very least.
Ensure that all stages of authentication are performed over SSL
Protecting your user credentials is key, and that means sending users your login form over an SSL connection as well as protecting their credentials with SSL when they are submitted to you. Failure to do this makes it possible for hackers to intercept your form and replace it with an evil insecure one which forwards users’ credentials to their own servers.
Don’t mix SSL protected content and plaintext on your web pages
Use HTTP Strict Transport Security (HSTS) to protect your domains (including sub-domains)
When your website is protected using HSTS, after the first visit all links to the website are converted from http to https automatically, and visitors cannot access the site again unless it is verified by a valid, non-self-signed certificate. That means that hackers will be unable to divert your users to a phishing site that they control over an insecure link (using SSL stripping ) or steal unsecured session cookies (using Firesheep .)
Protect cookies using the HttpOnly and Secure flags
Cookies that are used for authentication for the duration of an SSL session can be used to compromise the session’s SSL security. The HttpOnly flag makes the cookies you issue invisible to client side scripts, so they can’t be stolen via cross-site scripting exploits, while the Secure flag means the cookie can only be transmitted over an encrypted SSL connection and therefore can’t be intercepted.
Configuring your web server to issue cookies with both the HttpOnly and Secure attributes protects against both these types of attacks.
Use Extended Validation (EV) certificates
Although this is not vital for the security of your site, EV certificates give a clear visual confirmation in most browser address bars that visitors have made a secure SSL connection to a site that is genuinely yours, and have not been diverted to a phishing site. EV certificates are only issued after a certificate authority has taken rigorous steps to confirm your identity and that you own or control the domain name for which the certificate is being issued.
Ensure your certificates include subdomains
To avoid site visitors getting certificate errors make sure that both https://www.yourdomain.com and https://yourdomain.com are covered by your SSL certificate.
You can do this using a multi-domain SSL certificate which will usually allow you to specify up to three Subject Alternative Names (SANs) such as yourdomain.com or www.yourdomain.com.
Run an online SSL Server test
You can check your overall SSL security posture, including SSL server configuration, certificate chain, and protocol and cipher suite support, as well as search for known weaknesses such as the renegotiation vulnerability, using the free Qualys SSL Labs SSL Server Test https://www.ssllabs.com/ssldb/index.html