How Secure is your Site?
Written by Benjamin Friedman, August 31st, 2016
Having transport layer security is highly advised nowadays. Nothing beats having a wonderful for your site. Chances are if you don't have it already you've been thinking about setting it up. However it's important that you double check your existing or new SSL/TLS implementations to ensure they are up to snuff. It's easy to think you're secure when you're actually not, and we'll show you how you can verify your own.
First of all, what is SSL/TLS, and why the different acronyms? Well, for starters, let's address the different acronyms. TLS is the successor to SSL (Secure Sockets Layer), which has been phased out for the most part. In the interest of keeping descriptions fairly concise they are frequently referred to together as SSL/TLS. TLS and SSL are both protocols used to secure communications over the world wide web. When you visit a site secured via TLS or SSL you negotiate an SSL/TLS protocol and version, a cipher suite and potentially decide on a compression method.image credit cam.morris @ openclipart.org
After this the server passes it's certificate (or public key) to be verified by you (the client). It is by this certificate that you can try and authenticate that who you are talking to is who they say they are. Usually you would have a trusted third party such as a CA (Certificate Authority) who will have signed the certificate. This assurance made by the CA helps to ensure that you are connecting to the legitimate site, rather than an imposter.
Now that trust has been established a public key would be exchanged (depending on the underlying cipher suite) as well as brief MAC verification, basically a final check that all systems are GO! After this the handshake (this entire process described) is now complete and you and the server may communicate in a secure fashion.
Whew! That's a lot, but rest assured it's important you understand this a bit as it helps to convey the issues we'll be mentioning in a second.
As mentioned above, let's talk about where SSL/TLS can go wrong. First off, supporting SSL is generally a bad choice. Most SSL protocols have been proven to be flawed or can potentially be bypassed altogether, PCI-DSS compliance phased out SSL altogether for example. Even TLS 1.0 is no longer accepted for PCI compliance.
Besides the protocols, what about the supported cipher suites? Well issues in SSL/TLS implementations can arise from both the supported protocols and cipher suites. As tempting as it may be to list out known vulnerabilities in certain suites, we'd rather provide a tool to identify and help remove them altogether. In particular we highly recommend checking your site, right now, with Qualys SSL Labs. It's free, it's detailed, and there's no reason you shouldn't do it! If you think your implementation is solid, double check it, it can't hurt.
Upon finding issues with your SSL/TLS implementation you can perform some additional Doc Fu to find instructions on how to address the issue on your server. If your server is managed by a hosting company we encourage you to contact them directly and ask if they are mitigating issues in another fashion or are in the process of applying a fix.
For hosting at Axolsoft we maintain a solid SSL/TLS implementation. This is one of the many facets we focus on to remain fully PCI-DSS compliant. Additionally we undergo regular testing both internally and by 3rd parties in order to best assure our implementations remain safe and secure for us and our clients.
If you're having issues getting your hosting company to properly protect you, or you want to get started today consider dropping us a line at firstname.lastname@example.org. Initial consultations are free, we want to see that your website is secure, regardless of whom you decide to host with.
Questions? Corrections? Concerns? Contact us at email@example.com