SSL/TLS Security – A Simplified, Quick Guide

SSL/TLS Versions to Support (Server-Side)?

Much of the following may be common knowledge to most, but many in IT and beyond misuse the term ‘SSL/TLS’ so a refresher can’t hurt. Key things to remember around configuring which version of SSL/TLS Security to support on your web servers.

• SSL v2 is insecure and must not be used.
• SSL v3 is very old and obsolete. Because it lacks some key features and because virtually all clients support TLS 1.0 and better, you should not support SSL v3 unless you have a very good reason.
• TLS v1.0 is largely still secure; we do not know of major security flaws when they are used for protocols other than HTTP. When used with HTTP, it can almost be made secure with careful configuration.
• TLS v1.1 and v1.2 are without known security issues.
• TLS v1.2 should be your main protocol. This version is superior because it offers important features that are unavailable in earlier protocol versions. If your server platform (or any intermediary device) does not support TLS v1.2, make plans to upgrade at an accelerated pace. If your service providers do not support TLS v1.2, require that they upgrade.

Note: The SSL protocol should no longer be used but people will still refer to SSL and TLS simply as “SSL”.

Weak SSL Ciphers

Key things to remember around configuring which version of SSL/TLS to support on your web servers.

• Avoid so called “null” ciphers, because they do not encrypt data.
• Avoid export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the cipher suite.
• Obsolete encryption algorithms with secret key lengths considered short by today’s standards, eg. DES or RC4 with 56-bit keys.

SSL/TLS Vulnerabilities

You’ll hear about BEAST, CRIME, Heartbleed, POODLE, FREAK, CVE-2014-0224, and more. I can’t keep all of these straight and it seems like a new acronym vulnerability comes out every few months. Keeping OpenSSL up to date and following the best practices for using secure protocols and ciphers takes care of most (if not all) of these.

Resources

• Test domains for SSL issues. This is the best way to find if a site is using weak/insecure protocols or ciphers.
• Mozilla’s SSL/TLS recommendations. If you follow this guide you should get a passing grade from most enterprise vulnerability management solutions.
• Generate SSL configs based on Mozilla’s recommendations.

VerSprite Security Operations

The focus of SecOps services revolves around security engineering for Cloud and On-Prem environments (which includes Managed Hosting or CoLo environments).

Our group offer a range of managed security services aimed at providing a service that addresses client challenges across vulnerability management, threat analysis, technical remediation, system auditing/ hardening, and more. VerSprite’s SecOps →