SSL Best Practices: a Quick and Dirty Guide

SSL / TLS Best Practices
SSL / TLS Best Practices

TLS/SSL is super simple to install and deploy on your server, but it’s still nice to see a list of SSL best practices, which is why we’ve put together this page. If you do not set it up correctly, you’re not going to protect your data and may run into problems. This is another reason it’s always a good idea to increase your knowledge whenever possible.

TLS/SSL Best Practices 2015

Below, we have a basic overview of five main areas you want to concentrate on when deploying TLS/SSL for security.

Private Key and Certificate

First, we’re going to take a look at the SSL certificate and the private key you generate.

  • Use 2048-bit Private Keys – The bigger the private key the harder it is to crack, but the more computing resources it’s going to take. For now, at least a 2048-bit private key is recommended for optimum security.
  • Protect Private Keys – Make sure you create your own private keys on a secure and trusted computer. Only give access to private keys as needed. When an employee with private key access leaves your company, generate a new private key.
  • Choose a Reliable Certification Authority (CA) ~ If you choose a reliable Certificate Authority – like SSL.com – you can rest assured that your private key and SSL certificate are going to work to protect data being transferred to and from your server.

System Configuration

Next up is a list of some of the best practices for configuring your system to use the SSL certificate. The Forward Secrecy protocol may require some extra work, but we’ll have more on that below.

  • Valid Certificate Chains – In cases where you have two or more certificates, you should ensure that the entire certificate chain is set up properly. Even if everything is installed correctly, you may have one SSL certificate that expires before others, which could corrupt the entire chain.
  • Use Secure Protocols – Ensure that you are using TLS v1.1 and v1.2. As you know, SSL 3.0 support is quickly disappearing from the web ever since Google announced problems with a POODLE attack.
  • Secure Cipher Suites -Choose your cipher suites carefully. Some are more secure than others. You should choose only the ones that offer 128 bits protection – stronger when possible. While 3DES may be close enough at 112 bits, it’s slow and shouldn’t be used.
  • Forward Secrecy Protocol -This can allow you to enable secure connections not dependent on a private key. You will need to support and prefer ECDHE cipher suites for this to work correctly, but it’s worth the effort.
  • Client-Initiated Renegotiation – While the server may need to renegotiate a connection, a client will NOT need this access, so make sure it is disabled. If you don’t, it can make your server more susceptible to DDoS attacks.
  • Disable SSL v3 – Thanks to the POODLE vulnerability, you should disable SSL v3 and stop using it immediately. Chrome and other web browsers have already removed support for SSL v3 because of security concerns. Make sure and disable SSL 3.0 sessions entirely if you are using an older browser. Chrome and other web browsers have already removed support for SSL v3 in their newest versions because of security concerns, so updating your browser is also an excellent idea to help deal with these issues from the client side.
  • New Vulnerability Alerts – Most importantly, you should always be on the lookout for the next attack. This means reading and staying in touch with what’s on the horizon when it comes to information security as well as keeping on top of software updates – especially the critical ones. The best place to do this? Here at Info.SSL.com, of course. We’ll keep you up to date on everything you need to know about SSL and information security.

Remember Performance

As mentioned above, the encryption used by your private key will determine how quickly it can be verified. With this in mind, you want to ensure that your server runs fast while still offering the best protection possible. Here are some tips.

  • Too Much Security? – Is there such a thing as too much security? Yes and no. On the one hand, you want a speedy website. On the other hand, you want to protect your data. We’ll have another article in the near future about ways you can optimize your setup.
  • Session Resumption – If this is not working correctly, it can really slow everything down. Test to ensure that session resumption is activated and working the way it should work.
  • Persistent Connections – Not using Keep-Alive in Apache or other web server software you’re using? You need to be as soon as you can.

Application Design is Important

The server is important for security, of course, but another area to look at is the software you run on it. This includes custom applications you build.

  • Encrypt Website Completely – JavaScript files, images, and CSS files should all be called using TLS/SSL. If you secure your other content but don’t worry about the other files, you’re going to potentially run into problems. Every single file on your server should be encrypted when being transferred for maximum security.
  • Evaluate Third-Party Trust – While installing a bit of javascript from Google on your website might be safe, what about all the other files you’re including that are out of your control? Even if the software owner isn’t malicious, if they’re hacked, the attacker could gain access to every site with his code, including yours if you use it.
  • Lock down Cookies – Even if the rest of your site is encrypted, if you’re not encrypting your cookies, you need to start. Not doing so could be used against you. The method to do this will vary depending on a number of factors, but it’s really easy to do and worth the time required to get it done correctly. Need a cheat sheet? This page has a lot of valuable information.

Validation Via Tools

Think you have everything set up correctly? Wouldn’t it be better if you knew for certain you’d done it right and your system is secure? Be sure to use automated tools to test the TLS/SSL configuration on your servers. Our free SSL Manager v1.3 has useful info and diagnostic tools to help you assess and manage your certificates.

  • Find the Best Tools – Depending on your server and other factors, the exact software you use to test your TLS/SSL configuration is going to vary, but you should spend some time to find out what is going to work best for you personally and become familiar with the tools.
  • Set Up a Schedule – Are you going to be adding new software to the server? Or is a scheduled update coming up in the near future? If so, you’re going to want to run your diagnostic tools again to make sure nothing broke.

The Future of TLS/SSL

The two topics below are still being debated, but we think there’s a lot to be said for including them on this page of best practices.

ECDSA private keys

While most websites use 2048-bit RSA encryption, as the strength of the encryption increases, some are concerned that performance may take a huge hit. Elliptic Curve cryptography has smaller keys while offering high levels of security. This is one reason that ECDSA private keys may become more common in the future.

Public Key Pinning

Public key pinning simply refers to restricting which CA’s can issue SSL certificates for your server. Additionally, Google and others have used it in their browsers for a while now, but it’s likely to become more common in the future. One of the reasons is because it’s been so effective at helping Google warn Chrome users of compromised sites.

Extended Validation certificates

This is already available. You can purchase Extended Validation EV SSL certificates from SSL.com online quickly, safely, and easily. More trust is established because Certificate Authorities will perform offline checks of information. This type of SSL certificate can cost a little more, but in most cases, it’s going to be worth the money if you want to establish trust with your website visitors.

Want to Know More?

This is a quick and dirty starter guide for TLS/SSL best practices. If you would like to know more about any of the topics mentioned – or something else entirely – be sure to contact us or leave a comment below. We love to hear from our readers, especially when they clue us in on information security topics they want to hear more about. Thanks!