Tips to Make Your SSL Secure - Latest Jobs Ads

Thursday 18 January 2018

Home Tips to Make Your SSL Secure Tips to Make Your SSL Secure

Tips to Make Your SSL Secure

Tips to Make Your SSL Secure


As SSL technology evolves and changes, new vulnerabilities begin to cause problems. Secure socket layer (SSL) technology has changed in recent years, and new vulnerabilities have also been discovered. This tip explores the new SSL security landscape and outlines emerging security issues. Read on to learn the latest on these SSL security issues and steps companies can take to overcome them and implement SSL securely:

Tips to Make Your SSL Secure


The SSL certificate


The SSL certificate is a key component of SSL security and indicates to users that the website can be trusted. With this in mind, it must be obtained from a reliable certificate authority (CA) - the larger the market share the better, as that means there is less chance the certificate will be revoked. Organizations should not rely on self-signed certificates. The certificate should ideally use the SHA-2 hashing algorithm, as there are currently no known vulnerabilities in this algorithm.

Extended Validation (EV) certificates provide another means of increasing trust in the security of the website. Most browsers show websites that have EV certificates in a safe green color, providing a strong visual clue to end users that the website can be considered safe to use.


Disable support for weak ciphers


Almost all web servers support strong (128 bit) or very strong (256 bit) encryption ciphers, but many also support weak encryption, which can be exploited by hackers to compromise your enterprise network security. There is no reason to support weak ciphers, and they can be disabled in a couple of minutes by configuring your server with a line like:

SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

Make sure your server doesn't support insecure renegotiation


The SSL and TLS Authentication Gap vulnerability allow a man-in-the-middle to use renegotiation to inject arbitrary content into an encrypted data stream. Most major vendors have issued patches for this vulnerability, so if you have not already done so make it a priority to implement secure renegotiation or disable insecure renegotiation (making any necessary changes to your site) at the very least.


Ensure that all stages of authentication are performed over SSL


Protecting your user credentials is key, and that means sending users your login form over an SSL connection as well as protecting their credentials with SSL when they are submitted to you. Failure to do this makes it possible for hackers to intercept your form and replace it with an evil insecure one which forwards users' credentials to their own servers.


Don't mix SSL protected content and plaintext on your web pages


Mixed content can lead to your site being compromised because a single unprotected resource like Javascript could be used to inject malicious code or lead to a man-in-the-middle attack.

Use HTTP Strict Transport Security (HSTS) to protect your domains (including sub-domains)

When your website is protected using HSTS, after the first visit all links to the website are converted from HTTP to https automatically, and visitors cannot access the site again unless it is verified by a valid, non-self-signed certificate. That means that hackers will be unable to divert your users to a phishing site that they control over an insecure link (using SSL stripping ) or steal unsecured session cookies (using Firesheep.)


Protect cookies using the HttpOnly and Secure flags


Cookies that are used for authentication for the duration of an SSL session can be used to compromise the session's SSL security. The HttpOnly flag makes the cookies you issue invisible to client-side scripts, so they can't be stolen via cross-site scripting exploits, while the Secure flag means the cookie can only be transmitted over an encrypted SSL connection and therefore can't be intercepted.

Configuring your web server to issue cookies with both the HttpOnly and Secure attributes protects against both these types of attacks.


Use Extended Validation (EV) certificates


Although this is not vital for the security of your site, EV certificates give a clear visual confirmation in most browser address bars that visitors have made a secure SSL connection to a site that is genuinely yours, and have not been diverted to a phishing site. EV certificates are only issued after a certificate authority has taken rigorous steps to confirm your identity and that you own or control the domain name for which the certificate is being issued.

Ensure your certificates include subdomains


To avoid site visitors getting certificate errors make sure that both <a target="_blank" rel="nofollow" href="https://www.yourdomain.com">https://www.yourdomain.com</a> and <a target="_blank" rel="nofollow" href="https://yourdomain.com">https://yourdomain.com</a> are covered by your SSL certificate.

You can do this using a multi-domain SSL certificate which will usually allow you to specify up to three Subject Alternative Names (SANs)

Run an online SSL Server test


You can check your overall SSL security posture, including SSL server configuration, certificate chain, and protocol and cipher suite support, as well as search for known weaknesses such as the renegotiation vulnerability, using the free Qualys SSL Labs SSL Server Test

https://www.ssllabs.com/ssldb/index.html

Tags
By at
Labels:
Location: United States

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)