Three Tips to Take SSL/TLS Security To The Next Level | Webinar

Hi everyone and thank you for joining us for this webinar Today, I will talk to you about ways you can improve the TLS security of your website

In the spirit of Security Serious week, my goal is to provide you with some best practice tips which are easy to implement and I hope you will find them useful We will also give you the opportunity to ask questions at the end of the presentation So here's what you will learn today The difference between SSL and TLS; to show where you are; to look after your server and to enable always on SSL So let's get started

What is actually the difference between SSL and TLS? Well, initially, it's not much because in general, we refer to the same encrypted and authenticated connections, but SSL is the old version of the protocol which has been superseded by TLS; transport layered security Secure soccet layer has some number of vulnerabilities It's the less secured version of the protocol, but we will cover that later in this webinar There are two key use cases for TLS First, encrypt and secure; nine out of the 10 uses are more likely to trust a website if they display security indicators and to prove your identify

Certificate does not only encrypt the connection, but it also authenticates the connections It shows who's behind that connection and that can be done in several levels from simple and quick; domain control validation which will show that you have control over that domain, wwwdomaincom, but doesn't really show that you're authorized to have control over that domain or who is actually behind that domain It could be an attacker who has registered a domain that actually looks very much like your domain, but it isn't your domain

If there's no clear display of who you are, your visitors could easily become victims of a crime which is easily to prevent by showing who you are which leads us to tip one Show who you are You can prove your identity by using an extended validation certificate EV security is extremely visible making it easy for users to identity who's behind the website Padlock, for example is a traditional security indicator, but it's even better to verify a presence of https at the beginning of the url

Compared to traditional security, an extended validation certificate will show the green bar The green bar contains the company name When clicking on the green bar, you will get the company details Now, it's clear who you are Another way to show who you are is to display the site seal

Site seal is an easy way to show a visitor of your website that you're using a secured connection Surely, it's not as strong as https, the padlock, or the green bar, but it's an additional service that we as a CA provide to give an indicator to the visitor of your website and to say okay, look, we care about your privacy, about your data, and we are securing it By clicking of the site seal, they get more company details and they can verify who you are Maybe they can print the data so they have a copy on paper and can go back to that if something may happen with their information But in general, it also remembers users oh yes, I need to watch about security

So when you have that log in form or that order form or just the contact information form on your website, where users are requested to fill in some data, it's good to show a site seal that remembers them about security But remembers them to look at the green bar or at the padlock or to think twice; can I really trust this website? It also gives them the feeling oh yeah, if I would be questioning the security of the site, now, it gives me an indication oh yeah, they care about my security And you can place the site seal on any place on the website you like which could be clearly near an order or a confirmed button or a submit button for a specific form Then we're going to look at tip two which is to look after your server and specifically to look after the configuration of your server GlobalSign created a simple tool which is powered by Qualys SSL Labs and that tool, you can find on GlobalSign

SSLlabscom It's really simple to use You just enter the fully qualified domain name For example, www

globalsigncom When you submit the form, it will automatically just, if your server is compliant with all best practices, it tries to find a balance between security and compatibility because that is actually the biggest problem when we look at server configurations We can't simply say this is the configuration you need to use While with this tool, we try to give you a balanced set up that would work for most users

But if you are providing services to a closed community which could be your company employees or your customer base, then you may want to use more strict configurations than this tool is giving you But even that is something that a tool will clearly indicate, but there are always improvements possible, but maybe that will have a small impact on the compatibility So when entering the domain in this form, submitting it, we will test your server, then we will show you with which browsers you will be compatible If Windows XP system with an old version of internet explorer is still able to visit your website or not, the balance between security and compatibility is something that has a lot of factors And one of these factors is the cipher which is used for the actual encryption

And if we are going to look back at SSL and TLS, then you see that since version SSL 30, we moved onto TLS so we could also say that TLS is actually SSL version 4 If we look at this table and see okay, how secure is it the SSL protocol then we basically see that it is insecure It cannot provide you sufficient security even when you take reasonable time to configure your server and to be very selective in what you would support; it still depends on many factors if you could provide a secured connection or not If we move to TLS 1

1 or 12, we see that there's a lot more certainty of an actual secured connection And these are all combinations of the SSL protocol version and the cipher And the server and the browser can communicate what they support so the browser can say okay, we support SSL 3, TLS 1, TLS 11 and TLS 1

2 And a server can say okay, yeah I support also these protocols and I give the preference to some specific ciphers, but it's more likely that when a browser or a visitor visits your website, you will actually pick that secured connection But if we're going to look at this table, and we would disable, for example SSL 3, what are the impact on the capability? Because if I have a closed community like my employee base, okay , I can say our computers are secure We don't use Windows XP anymore We're all on Windows 7,8 or 10 and we don't really care about SSL free

On the other hand, if you're not have a closed user program and you provide services to the public internet, that is much harder to actually answer because you don't really know what your potential customer is using for a computer, for a browser And if they installed all of their security updates, and there are some arguments who say okay, yes, I don't want to provide, it doesn't add any value to provide security to a user of an old outdated browser or an old outdated operating system because basically, if we look up their security level, there are so many holes in there that maybe you shouldn't even care about TLS security, but that's maybe not necessary because if we're going to look up the TLS support by the major browsers, then we see that at least TLS 10 executed by all major browsers even on Windows XP Only if you would be using internet explorer 6 on Windows XP, TLS 10 is disabled by default

But okay, how many users are actually using internet explorer version 6 that is so many years old that most websites wouldn't even work on that browser So if we would disable all SSL versions, the security level is much higher Also, because even if we would say okay yes, we would support these new TLS versions, there's always the potential risk that an attacker finds a way to downgrade a user to an older TLS version or SSL version and apply an attack against that version, and that is something that has happened before In this graph, you see the statistics of supported SSL and TLS versions measured by Netcraft from many servers on the internet And before Poodle, most servers were just enabling all protocols

Mostly likely, okay probably, they were disabling SSL too, but SSL 3, yeah okay, we could still use it and then there is still some use case for it But there was an attack on that specific protocol Then quickly everyone or the majority of service providers actually switched off SSL version 3 because it wasn't actually needed anymore And more and more users or server operators, administrators are disabling SSL version 3 and you should do too Though looking back at the tool we provide, you can simply see that SSL version 2 and 3 are TLS version 1

0, 11 or 12 could be enabled or disabled And the tool to report that if your server supports it are trying to make a connection over that protocol and showing you what your server is currently doing It will also show you if it is good like in this example, it's good that SSL 2 and 3 are currently not supported, but from a compatibility point of view, it's good that SSL or TLS 1

0 is currently supported While from a security point of view, you may only want to use the last version, TLS 12, but as we can see in this slide, there are still quite a few browsers which are currently not supporting TLS 12 So for those users, you still want to be able to support TLS 1

0 unless you have that closed user group and say okay, now all users are using Chrome version 30 or newer, Firefox 38 or newer, Internet explorer 11, Opera 17 or Safari 7 So actually, if you're using up to date systems, you can safely switch to TLS 12 else you may want to use TLS 10 as a legacy support The same for ciphers; configurations for ciphers is complicated because there are many in which you should enable or maybe not

It's not only very dependent on the current state of browsers and operating systems of cryptographic power to break these ciphers It's changing a lot and therefore it's good to run these tests against your server on a regular basis Do not only test your website configuration or your TLS configuration once a year or every time you renew your certificate, but try to make it an ongoing activity where on a monthly basis, you just run the test, see if you're still compatible If you may need to make some changes because security is changing from time to time so regularly check your preferences Simply running the test and in a few seconds you know if you need to make changes to provide the secured connections to your users

Then there is a need to deal with server breaches While we never hope that the server is breached, there are many reasons why that could happen And if that happens, you need to have proper action plan to mitigate any risks and one of the actions in that plan should be to revoke your certificates because when an attacker gained access to your server, it will be able to obtain a copy of your private key With that private key, it could set up man in the middle attacks to pretend to be you and to steal private information from your customers and potentially to use that information on other websites or maybe on your own server By revoking the certificates and generating new private keys even if the user or the attacker would have obtained a copy of your private key, it would not be able to use it because the certificate you provided is now showing or announcing that it is compromised and should not be trusted

But revocation information is something that is published by certification authority and that also need to be obtained Now how can that be obtained? For example, by OCSP, the online certificate status protocol And OCSP's request is a request that is made to the certification authority for each connection that is established to your website It will tell the user that that certificate is still valid or not By enabling OCSP stapling, you have a couple of benefits

First, the OCSP response is already included in the TLS handshake and therefore does not have to be obtained separately from the certification authority that has benefits in performance because it's saves [0:20:03] on the client side, and it has a benefit on privacy because there is not exposed who's connecting to your server OCSP stapling is easy to enable in all web servers As you can see, on this slide for Apache and Nginx, it's just a one or two line configuration change so that was tip two to take care of your server Do not only install your certificate but review your configuration and use the tools available to do it properly and review that configuration from time to time Tip three is to enable always on SSL

What does that mean? Always on SSL means that SSL is always enabled It's always turned on Why would we turn on SSL by default? First, really important that if you provide a secured connection and you wouldn't provide that secured connection on the whole website, but only on your log in screen, there is the risk that if you not mark your cookies to be served on secured connections only, that that cookie would be shared with your unsecured website And a user could just simply copy the log in session from that cookie because it's transmitted over on a unsecured connection This type of attack is abused frequently as it's so easy to perform

Another benefit of enabling always on SSL is that the user can always perform the identity verification because the green bar is not only shown when the account information is requested, but on all pages or maybe even far before it's trying to request information or to do that purpose from your website It's also about content integrity When using a secured connection, data is not only encrypted but also the integrity is guaranteed It's not possible for an attacker to embed abuse code in the TLS session because that would break the signature on the data and it would improve your Google ranking because Google said recently that they prefer a secured and private internet where governments or any third party cannot control or list or see what you are actually doing on the internet And therefore, when a website guarantees the privacy of a visitor, you will rank slightly higher in the Google search engine

And not least, doing SSL by default could have a huge performance benefit When your server support HTTP2 or S PYDY, secured websites can load up to, in this example, 500% faster than a non secured connection, and we know that Google, Amazon, there are a lot of other large sites did researches on what percentage of users would drop off after a few milliseconds of delay? If you can win even seconds, you can win a lot of users and increase efficiency and increase the number of views on your website from the users because the website is just responding a lot quicker than with a non secured version That doesn't have anything to do with the encryption itself, but mainly, with the way the protocol works HTTP2 and SPYDY are only supported when using a secured connection and these protocols allow to turnover multiple request concurrently where they have to be made separately when using an unsecured connection So how do we enable always on SSL? Always on SSL is one of the easiest things to enable

Its just adding a simple header to the response of your website In Apache, you can do that with a single line in your configuration or in a HTXX file and in Nginx, you can simply change the line in the configuration or add a line in the configuration If you're using a dynamic website running in dot net, php or whatever language you are using, you can also add these headers from the application site And again, also here, the tools from GlobalSign are giving you the ability to simply verify if you set these headers Then we have one more tip

We wanted to add this to the webinar It's got a lot of attention over the last few days and you may sometimes come across confusing information From January 2017, Windows will stop trusting all SHA-1 certificates That will mean that if you would still be using a SHA-1 certificate, a user that is visiting your website will get an error message that that certificate is not trusted Chrome is already giving warnings about these issues today

They'll still connect to your website, but it wouldn't show you the green padlock Our advice on this is simple: upgrade your SHA-1 certificate to SHA-256 as soon as possible You can do this free of charge from your GlobalSign account You can use our SSL checker to determine if your certificates need to be upgraded or use a certificate inventory tool This can complete internal or external networks

Unfortunately, we've run out of time so if you've any questions, send them to me on Twitter at @GlobalSign or just go to our Facebook page or LinkedIn Contact your account manager and ask these questions there or you make sure that everything you will need will be answered as soon as possible Thanks for your time Have a good day Bye

Free Email Updates
We respect your privacy.

affiliate marketing amazon

affiliate marketing