Always-On SSL

Bruce Morton

Always-On SSL is an approach to securing your website to mitigate attacks against your users. When I think of Always-On SSL, I think of three concepts: SSL across your entire site, SSL deployed to the best practices, and SSL with leading technology.

SSL across Your Entire Site

The approach to Always-On SSL is to avoid hijacking of the sessions with your users. Hijacking was always a threat that it can be performed with a tool called SSLstrip; however, change was not really deployed until Firesheep was issued to show how easy it is to highjack a Facebook session. To date, Firesheep has been downloaded more than 2.8 million times.

The goal is to ensure your users start their sessions with SSL and never turn it off. This mitigates the hijacking attacks of the common tools.

SSL Deployed to Best Practices

In many cases, people are worried about SSL attacks based on errors of the protocol or errors by the Certification Authorities (CAs) that issue the certificates. Nevertheless, there are millions of websites managed by millions of administrators. The administrators use different versions of servers and software to manage their SSL certificate environment. The administrators are also trained at many different levels. Unfortunately, this means that SSL gets deployed on servers/software that may not be up-to-date by administrators who are not SSL experts.

The result is that, in many cases, SSL is not deployed to the best practices and many issues can result, such as:

  • Inconsistent DNS configuration
  • Self-signed certificates
  • Poorly configured SSL servers
  • Incomplete certificates
  • Mixing SSL and plain-text on site
  • Inconsistent SSL use
  • Not using secure cookies
  • Mixed page content

Consider reviewing the SSL Labs Deployment Best Practices to update your site.

SSL with Leading Technology

If you have SSL on your entire site and it is secure by mitigating the poor practices, then perhaps you can upgrade your security by using the latest techniques such as:

  • EV SSL Certificates – Give the user visual feedback that they are at the right place by providing trust indicators in the browser chrome and the name of the website owner.
  • HTTP Strict Transport Security (HSTS) – Allows the website owner to advise end-users that the website is only available in HTTPS mode. Browsers that support HSTS will provide an error when the site is accessed in HTTP-only mode.
  • OCSP Stapling – Will provide the certificate status through the SSL handshake which will provide the website with higher performance and less latency.
  • Perfect Forward Secrecy – Will mitigate pervasive surveillance. Perfect Forward Secrecy can be deployed by ensuring your server supports and prefers cipher suites with Diffie-Hellman ephemeral (DHE) or Elliptic Curve Diffie-Hellman ephemeral (ECDHE).
  • SHA-2 Hashing Algorithm – With the deprecation of SHA-1, website owners should consider asking their CA to sign their certificates using the SHA-2 hashing algorithm.
  • TLS 1.2 – Uses the latest ciphers and will mitigate cipher block chaining (CBC) and RC4 attacks.

When deploying your site, please consider Always-On SSL and look to use the best practices.

Updated February 10, 2014 – Added suggestion to use TLS 1.2.
Updated February 24, 2014 – Added suggestion to use OCSP Stapling.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation