An introduction guide to Secure Certificates and the things to watch for when installing a cert.

1. Demystifying Secure
Certificates
@garyw_
www.gdwnet.com

2. Why use HTTPS at all?
 It’s faster than plaintext.
 SEO!
 Browser warnings for plaintext sites.
 Provides a level of confidence in the site.
 Certs are free.

3. I don’t need certs…
 …because I’m not processing payments
 …because everything on the site is public domain
 …because I’ve only got 100 customers
 …because it’s too expensive
 …because I’m too small for hackers to attack me
 Hackers have been using the devops methodology for years. They’ve
automated scanning and detection to a high degree.

4. Is TLS really faster than plaintext?
 If the host server supports HTTP/2, yes. IIS on 2016 does, Apache, Nginx and
so on does.
 Developer tools in Chrome will show if a site is using HTTP/2 or not

5. Use Certs, don’t be this guy!

6. Implementing HTTPS
 There is no magic to cert implementation but CA’s can be hard to work with
 Let’s encrypt are working wonders to simplify things
 All certs follow the same process:
 Create CSR
 Submit CSR to CA
 CA approves cert
 Retrieve cert
 Install cert
 Update web server config

7. SSL and TLS Versions
 SSL 2.0 - Vulnerable
 SSL 3.0 – Vulnerable to Poodle
 TLS 1.0 – Vulnerable to Poodle? Maybe……
 TLS 1.1
 TLS 1.2
 TLS 1.3
 TLS 1.1 and above are secure protocols, but you still need to consider ciphers
and other headers
 TLS 1.3 is just out.

8. TLS 1.3

9. Ciphers
 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 The above cipher suite will work for all browsers from IE7 and above and is
the more secure set of ciphers available today.
 You can add additional ciphers as the web server will try the most secure first
and then fallback to “less secure” protocols.

10. Private keys, public keys and cert chains
 All keys and certs should be kept outside of the website structure
 Keep copies of cert files somewhere secure like a password database
 Check that cert chains are valid

11. Installing the cert is half the battle
 Once a cert is installed, you’re still not secure
 IIS, Nginx, Apache all need further changes to make them A+ on Qualsys
 Even with A+ you can go even further
 Vendors need to make installing certs a simpler process, lets encrypt are
leading the way
 Last thing to do? MAKE A NOTE OF WHEN THE CERT EXPIRIES!

12. DNS CAA Record
 Certification Authority Authorisation Record
 This is coming, have it in place before September 2017 or renews won’t be
allowed for certs needing renewing after that date.
 CAA is a dedicated type of DNS record and looks like this:
 CAA 0 Letsencrypt.org
 Doesn’t apply to internal CA’s

13. Internal CA’s
 Nothing bad about internal CA’s – as long as they are only used for internal
services/servers.
 Internal CA’s become bad when used by people don’t automatically get the
trusted root cert.
 Great for testing out cert process and securing things that are often ignored.
 Watch your cert validity times!

14. EV Certs
 Extended Validation
 Provides additional validation for the owning company, “proves” the site is
legitimate
 The company has to go through it’s own validation process with the CA

15. Qualsys
 Anytime a change is made to a web config or a cert, run the site through
qualsys free HTTPS tester.
 A scan takes about 10 minutes to run
 Reports are, by default public

16. Securityheaders.io site header
recommendations

17. Secutityheaders.io (2)

18. Recap!
 Get people used to certs everywhere and to not ignore warnings
 Let’s encrypt has great automation
 Keep copies of secure web server configs
 There are tools out there to help
 Qualsys SSL analyser
 Scott Helme’s securityheaders.io
 If possible, test sites certs annually and whenever a change is made, just in
case something has changed

19. Thank you!
Questions?