Using SSL on your website is pretty much mandatory nowadays. Without SSL guarding your connection, almost all data sent or received from a website can be read by 3rd parties. With that in mind, the Netguru dev ops team has put together some tips for improving your ssl setup.
Using SSL on your website is pretty much mandatory nowadays. Without SSL guarding your connection, almost all data sent or received from a website can be read by 3rd parties.
With that in mind, the Netguru dev ops team has put together some tips for improving your SSL setup.
Make sure your certificate is using the SHA-2 algorithm
Around 90% of websites are using the SHA1 algorithm to validate certificates. Sadly, it’s quite weak and prone to different attacks. You can use this small website to check if your certificate is using the stronger SHA-2 version.
If it’s not, you should regenerate your certificate (issue a new certificate signing request to your ssl provider). For those who don’t know, the easiest way to go about this is to use: www.digicert.com/easy-csr/openssl. Generate the correct command and add the
-sha256 flag to it.
For a more detailed explanation on why we should move away from SHA-1, see this article.
Servertastic also provides a good tutorial how to renew your certificate.
Update your intermediate certificates to use the SHA-2 algorithm too
The intermediate certificates for your website should also be using the SHA-2 algorithm, along with your main certificate. Every certification provider should make it easy to download new intermediate certificates. These links will get you new certs for the most popular providers:
Drop support for SSLv3
Your certificate should be served using the latest protocols. Use TLS 1.0+ (1.2 is the best). Otherwise, you are exposing your users to the POODLE attack. This article describes the issue in detail.
If you are using nginx to serve your website, adding the following options to your server definition found here:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
will get you going. Note that if you are using an openssl library, it has to be updated to a version over 1.0 to support TLS 1.2.
Configure forward secrecy
Forward secrecy means your users will be able to generate per-session keys for their encrypted communication. This article from qualys explains this in human words.
Again in this case, a simple configuration change with nginx will get you going:
More configuration options
Lastly, there are a few more configuration options that might improve your ssl support. These include things like headers for nginx proxies and session caches to improve performance:
With the above steps completed, you should be able to score an A+ with the ssl labs tests - just like we did! :)
PS. Compiled nginx configuration for your site can be found here:
EDIT: Here's one more good info page (recommended by our friends at arkency) that includes configurations for appache and lighttpd too: https://cipherli.st.
Make sure to check the Simplest Security Best Practices (for servers hosting Ruby on Rails apps) as well!