2. Why use HTTPS at all?
It’s faster than plaintext.
SEO!
Browser warnings for plaintext sites.
Provides a level of confidence in the site.
Certs are free.
3. I don’t need certs…
…because I’m not processing payments
…because everything on the site is public domain
…because I’ve only got 100 customers
…because it’s too expensive
…because I’m too small for hackers to attack me
Hackers have been using the devops methodology for years. They’ve
automated scanning and detection to a high degree.
4. Is TLS really faster than plaintext?
If the host server supports HTTP/2, yes. IIS on 2016 does, Apache, Nginx and
so on does.
Developer tools in Chrome will show if a site is using HTTP/2 or not
6. Implementing HTTPS
There is no magic to cert implementation but CA’s can be hard to work with
Let’s encrypt are working wonders to simplify things
All certs follow the same process:
Create CSR
Submit CSR to CA
CA approves cert
Retrieve cert
Install cert
Update web server config
7. SSL and TLS Versions
SSL 2.0 - Vulnerable
SSL 3.0 – Vulnerable to Poodle
TLS 1.0 – Vulnerable to Poodle? Maybe……
TLS 1.1
TLS 1.2
TLS 1.3
TLS 1.1 and above are secure protocols, but you still need to consider ciphers
and other headers
TLS 1.3 is just out.
9. Ciphers
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
The above cipher suite will work for all browsers from IE7 and above and is
the more secure set of ciphers available today.
You can add additional ciphers as the web server will try the most secure first
and then fallback to “less secure” protocols.
10. Private keys, public keys and cert chains
All keys and certs should be kept outside of the website structure
Keep copies of cert files somewhere secure like a password database
Check that cert chains are valid
11. Installing the cert is half the battle
Once a cert is installed, you’re still not secure
IIS, Nginx, Apache all need further changes to make them A+ on Qualsys
Even with A+ you can go even further
Vendors need to make installing certs a simpler process, lets encrypt are
leading the way
Last thing to do? MAKE A NOTE OF WHEN THE CERT EXPIRIES!
12. DNS CAA Record
Certification Authority Authorisation Record
This is coming, have it in place before September 2017 or renews won’t be
allowed for certs needing renewing after that date.
CAA is a dedicated type of DNS record and looks like this:
CAA 0 Letsencrypt.org
Doesn’t apply to internal CA’s
13. Internal CA’s
Nothing bad about internal CA’s – as long as they are only used for internal
services/servers.
Internal CA’s become bad when used by people don’t automatically get the
trusted root cert.
Great for testing out cert process and securing things that are often ignored.
Watch your cert validity times!
14. EV Certs
Extended Validation
Provides additional validation for the owning company, “proves” the site is
legitimate
The company has to go through it’s own validation process with the CA
15. Qualsys
Anytime a change is made to a web config or a cert, run the site through
qualsys free HTTPS tester.
A scan takes about 10 minutes to run
Reports are, by default public
18. Recap!
Get people used to certs everywhere and to not ignore warnings
Let’s encrypt has great automation
Keep copies of secure web server configs
There are tools out there to help
Qualsys SSL analyser
Scott Helme’s securityheaders.io
If possible, test sites certs annually and whenever a change is made, just in
case something has changed
The background – I’ve put this together because I’m an IT person who enjoys messing with tech but I want that tech to be secure.
Putting a secure cert on a site isn’t hard, there are a few things to be aware of that help secure a site properly. Sadly, the days of putting a cert on a server and walking away are long gone.
Google recently announced that they will be giving higher page rankings to sites with SSL over plaintext.
Going forward there will be increasing confidence with SSL/TLS enabled sites, browser warnings will be more prominent and harder to click past.
Talk about logwatch on linux and the port 22 attacks.
CSR = Certificate Signing request
This is the first thing that confuses people. TLS 1.0 is newer, better, faster than SSL 3.0
Interesting story about TLS. IIS crypto will disable TLS 1 which didn’t please our devs as they use that for deployments.
Glouster city council found themselves in trouble due to heartbleed. Heartbleed can be defeated by upgrading OpenSSL. Secure certs don’t obviate the need for patching.
EECDH – used for "Forward Secrecy" (or sometimes "Perfect Forward Secrecy") is used to describe security protocols in which the confidentiality of past traffic is not compromised when long-term keys used by either or both sides are later disclosed.
The next thing in validating secure sites and allowing renews only from selected CA’s. It’s not widely used by CA’s yet but probably will be after September.
If you can, get your CAA DNS record in now.
Absolutely nothing wrong with internal CA’s
Great way to play with both ends of the cert process
Cert validity is a maximum of three years. Note that internal CA’s should be 50 or 100 years just to avoid having to renew the root CA cert. Issued certs should be a year.
Want to play with EV and not pay out a fortune? Set it up in Windows CA.