WavebreakmediaMicro - Fotolia

Get started Bring yourself up to speed with our introductory content.

How to address key SSL security issues and vulnerabilities

As SSL technology evolves and changes, new vulnerabilities begin to cause problems. Expert Rob Shapland explains how security professionals can overcome these SSL security issues.

Secure socket layer (SSL) technology has changed in recent years, and new vulnerabilities have also been discovered....

This tip explores the new SSL security landscape and outlines emerging security issues. Read on to learn the latest on these SSL security issues and the seven steps infosec pros can take to overcome them and implement SSL securely.

Step 1: The SSL certificate

The SSL certificate is a key component of SSL security and indicates to users that the website can be trusted. With this in mind, it must be obtained from a reliable certificate authority (CA) -- the larger the market share the better, as that means there is less chance the certificate will be revoked. Organizations should not rely on self-signed certificates. The certificate should ideally use the SHA-2 hashing algorithm, as there are currently no known vulnerabilities in this algorithm.

Extended validation (EV) certificates provide another means of increasing trust in the security of the website. Most browsers show websites that have EV certificates in a safe green color, providing a strong visual clue to end users that the website can be considered safe to use.

Step 2: Disable outdated SSL versions

Older versions of the protocol are a contributing factor to SSL security issues. SSL 2.0 has been compromised for a number of years and should be disabled. SSL 3.0, with the discovery of the POODLE attack, is now considered broken and should not be supported. The web server should be configured to prefer TLS v1.2 in the first instance, as this provides the most security. Modern browsers all support this protocol. TLS 1.1 and 1.0 support can be enabled for users running legacy browsers.

Step 3: Disable weak ciphers

Ciphers of less than 128 bits should be disabled, as they do not provide sufficient encryption strength. This will satisfy the requirement of disabling export ciphers too. The RC4 cipher should be disabled because of vulnerabilities that make it susceptible to attack.

Ideally, the web server should be configured to prefer ECDHE ciphers with forward secrecy enabled. This option means that, even if the server's private key was compromised, attackers would not be able decrypt previously intercepted communications.

Step 4: Disable client renegotiation

Renegotiation allows the client and server to stop an SSL exchange in order to renegotiate the parameters of the connection. Client-initiated renegotiation can lead to denial-of-service attacks, a serious SSL security issue, because the process requires far more processing power on the server than it does for the client.

Step 5: Disable TLS compression

The CRIME attack can be used to decrypt parts of a secure connection by exploiting flaws in the compression process. Disable TLS compression to prevent this attack. Also be aware that HTTP compression can potentially be exploited by the TIME and BREACH attacks; however, these are extremely difficult attacks to accomplish.

Step 6: Avoid mixed content

Encryption should be enabled on all areas of a website. Any mixed content -- where part of a page is encrypted and part is not -- can lead to the compromise of the entire user session.

Step 7: Secure cookies and HTTP Strict Transport Security (HSTS)

Ensure all cookies that control user sessions are set with the secure attribute; this prevents the cookie from being forced over an insecure connection and intercepted. In a similar vein, HSTS should be enabled to prevent any unencrypted communication to the website.

Follow these steps and the SSL implementation will be considered secure. However, be aware that dealing with SSL security issues is only one part of website security -- regular vulnerability scanning and penetration testing should be conducted to ensure that vulnerabilities elsewhere in the website are not compromising security.

Next Steps

Find out how the DROWN attack delivers a blow to SSL security

Read about the SSL vulnerabilities enterprises must address

Learn how TLS 1.3 updates could improve SSL security

This was last published in July 2016

Dig Deeper on VPN security