Secure socket layer (SSL) technology has changed in recent years, and new vulnerabilities have also been discovered....
This tip explores the new SSL security landscape and outlines emerging security issues. Read on to learn the latest on these SSL security issues and the seven steps infosec pros can take to overcome them and implement SSL securely.
Step 1: The SSL certificate
The SSL certificate is a key component of SSL security and indicates to users that the website can be trusted. With this in mind, it must be obtained from a reliable certificate authority (CA) -- the larger the market share the better, as that means there is less chance the certificate will be revoked. Organizations should not rely on self-signed certificates. The certificate should ideally use the SHA-2 hashing algorithm, as there are currently no known vulnerabilities in this algorithm.
Extended validation (EV) certificates provide another means of increasing trust in the security of the website. Most browsers show websites that have EV certificates in a safe green color, providing a strong visual clue to end users that the website can be considered safe to use.
Step 2: Disable outdated SSL versions
Older versions of the protocol are a contributing factor to SSL security issues. SSL 2.0 has been compromised for a number of years and should be disabled. SSL 3.0, with the discovery of the POODLE attack, is now considered broken and should not be supported. The web server should be configured to prefer TLS v1.2 in the first instance, as this provides the most security. Modern browsers all support this protocol. TLS 1.1 and 1.0 support can be enabled for users running legacy browsers.
Step 3: Disable weak ciphers
Ciphers of less than 128 bits should be disabled, as they do not provide sufficient encryption strength. This will satisfy the requirement of disabling export ciphers too. The RC4 cipher should be disabled because of vulnerabilities that make it susceptible to attack.
Ideally, the web server should be configured to prefer ECDHE ciphers with forward secrecy enabled. This option means that, even if the server's private key was compromised, attackers would not be able decrypt previously intercepted communications.
Step 4: Disable client renegotiation
Renegotiation allows the client and server to stop an SSL exchange in order to renegotiate the parameters of the connection. Client-initiated renegotiation can lead to denial-of-service attacks, a serious SSL security issue, because the process requires far more processing power on the server than it does for the client.
Step 5: Disable TLS compression
The CRIME attack can be used to decrypt parts of a secure connection by exploiting flaws in the compression process. Disable TLS compression to prevent this attack. Also be aware that HTTP compression can potentially be exploited by the TIME and BREACH attacks; however, these are extremely difficult attacks to accomplish.
Step 6: Avoid mixed content
Encryption should be enabled on all areas of a website. Any mixed content -- where part of a page is encrypted and part is not -- can lead to the compromise of the entire user session.
Step 7: Secure cookies and HTTP Strict Transport Security (HSTS)
Ensure all cookies that control user sessions are set with the secure attribute; this prevents the cookie from being forced over an insecure connection and intercepted. In a similar vein, HSTS should be enabled to prevent any unencrypted communication to the website.
Follow these steps and the SSL implementation will be considered secure. However, be aware that dealing with SSL security issues is only one part of website security -- regular vulnerability scanning and penetration testing should be conducted to ensure that vulnerabilities elsewhere in the website are not compromising security.
Find out how the DROWN attack delivers a blow to SSL security
Read about the SSL vulnerabilities enterprises must address
Learn how TLS 1.3 updates could improve SSL security