Updated SSL/TLS Deployment Best Practices
First, I would like to than Ivan Ristic for his development of the SSL/TLS deployment Best Practices document. This is a simple overview of what a Web server administrator should consider in an SSL deployment. I am also looking forward to Ristic’s book, “Bulletproof SSL/TLS and PKI,” which hopefully will be released sometime soon.
- RC4 is Broken – Due to the attack on RC4, it is recommended that cipher suites using RC4 be phased out.
- TIME and BREACH – Provides warnings of the TIME and BREACH attacks and points to how to defend against BREACH.
- Surveillance Programs – Due to the worldwide Internet surveillance programs, it is recommended that Perfect Forward Secrecy be used.
Secondly, the Certificate Authority Security Council (CASC) provides recommendations to help mitigate against attacks such as the surveillance programs. Entrust works with the CASC to provide education, research and advocacy to support the subscribers of our publicly trusted SSL certificates. Here are some suggestions with more details provided by the blog at the CASC:
- Encrypt your Communications – All of your communications. The more encryption, the harder it is to be defeated. Think Always ON SSL and use certificates issued by a publicly trusted CAs.
- Patch and Upgrade your Systems – Vendors are always upgrading their systems to mitigate known issues. Don’t get defeated by an issue that you could have patched.
- Deploy Stronger Crypto – Move your certificate keys to 2048-bit RSA. Change your signing algorithm to SHA2. Make sure your Web server supports TLS 1.1 and 1.2. Consider deploying Perfect Forward Secrecy by supporting cipher suite with Diffie-Hellman ephemeral (DHE).
- Scan and Fix Other Vulnerabilities – Check and correct the OWASP Top 10 vulnerabilities such as injection flaws, cross-site scripting and poor authentication management.
- Consider End-to-End Encryption – What happens when your data is released from your secure server? How is it protected? Make sure your data is protected end-to-end through a secure infrastructure and databases.