There are many risks with the implementation of security using SSL. Attacks can be formulated against the SSL/TLS protocol, the protocol may have been designed improperly by the server vendor, the certificate authority (CA) could be attacked or you may implement SSL improperly on your server.
SSL Pulse surveys about 200,000 sites each month, grades them and ranks them by status. Nearly a quarter of the protected sites receive an F. These sites support SSL 2.0 and 3.0, have insecure cipher suites, have small keys and support RC4. The issues with the poorly graded sites are not system defects; they are the result of improper configuration and deployment.
The Entrust SSL Best Practices approach will detail all of the areas to consider when deploying SSL. We will provide tips and hints, expert deployment knowledge, thought leadership, encourage Always-On SSL and recommend acquiring certificates from a reliable CA.
For SSL best practices you need to consider:
- Private Key and Certificate – private key protection, key size and signing algorithm.
- Server Protection and Performance – valid certificate chains, secure protocols, secure cipher suites, renegotiation and compression.
- Application Protection – mixed content, secure cookies, caching, malware, and third party trust.
- Enhanced Server Security – perfect forward secrecy, OCSP stapling and HTTP strict transport security (HSTS).
- Domain Protection – certification authority authorization (CAA), certificate transparency, public key pinning, and certificate reputation.
- Advanced Certificates – extended validation (EV), multi-SAN, and private trust.
- Always-On SSL – protects against attacks such as SSLstrip and Firesheep, provides security and privacy.
When deploying SSL it is great to have a CA who works with you as a partner. Consider a reliable CA which provides certificate management, certificate discovery and responsive CRL and OCSP responses. A reliable CA will also provide a wide variety of certificate types and flexible licensing models. There should also be great support including server installation, server certificate scanning and website scanning.
As we move forward, Entrust Datacard will provide guidance and solutions to use SSL best practices and deploy SSL with confidence.