2. #AllAccessIT#AllAccessIT
• SEO!
• Browser warnings for plaintext sites.
• Provides a level of confidence in the site.
• Certs are free.
• They can be faster than plaintext.
Why use HTTPS at all?
3. #AllAccessIT#AllAccessIT
If the host server supports HTTP/2, yes. IIS on 2016 does,
Apache, Nginx and so on does.
Developer tools in Chrome will show if a site is using HTTP/2
or not
Is HTTPS really faster than plaintext?
4. #AllAccessIT#AllAccessIT
…because I’m not processing payments
…because everything on the site is public domain
…because I’ve only got 100 customers
…because it’s too expensive
…because I’m too small for hackers to attack me
Hackers have been using the devops methodology for years.
They’ve automated scanning and detection to a high degree.
I don’t need certs…
11. #AllAccessIT#AllAccessIT
There is no magic to cert implementation but CA’s can make things
more complicated than they need to be
Let’s encrypt are working wonders to simplify things
All certs follow the same process:
• Create CSR
• Submit CSR to CA
• CA approves cert
• Retrieve cert
• Install cert
The first three can be rolled into one action
Cert Process
12. #AllAccessIT#AllAccessIT
• SSL 2.0 – Vulnerable
• SSL 3.0 – Vulnerable to Poodle
• TLS 1.0 – Vulnerable to Poodle
• TLS 1.1 – No issues?
• TLS 1.2 – No issues?
• TLS 1.3 – No issues
TLS 1.1 and above are secure protocols, but you still need to
consider ciphers and other headers
TLS 1.3 was ratified in August, 2018
SSL/TLS Versions
14. #AllAccessIT#AllAccessIT
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
The above cipher suite will work for all browsers from IE7 and above
and is the more secure set of ciphers available today.
You can add additional ciphers as the web server will try the most
secure first and then fallback to “less secure” protocols.
Cipher suites are implemented in web server/browser – not in Cert
Cipher Suites
15. #AllAccessIT#AllAccessIT
Additional Headers - HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;“
HSTS sets a cookie on the connecting computer
That cookie expects the site to be presented over HTTPS for ‘max-age’ (two years).
16. #AllAccessIT#AllAccessIT
Additional Headers - CSP
• Header set Content-Security-Policy "script-src 'self'; object-src 'self'“
• CSP – Content security policy
• Allows you to state what content you will allow on the page
• Can be fiddly but ultimately worth it
17. #AllAccessIT#AllAccessIT
• All keys and certs should be kept outside of the website structure.
• Keep copies of cert files somewhere secure like a password
database.
• Check that cert chains are valid.
• Once a cert is installed, you’re still not fully secure.
• IIS, Nginx, Apache all need further changes to make them A+ on
Qualsys.
• Even with A+ you can go even further.
A few more things to check
18. #AllAccessIT#AllAccessIT
• Vendors need to make installing certs a simpler process, lets encrypt
are leading the way.
• Last thing to do? MAKE A NOTE OF WHEN THE CERT EXPIRIES!
A few things to check
19. #AllAccessIT#AllAccessIT
• Certification Authority Authorisation Record.
• This is coming, have it in place before September 2017 or renews
won’t be allowed for certs needing renewing after that date.
• CAA is a dedicated type of DNS record and looks like this:
CAA 0 Letsencrypt.org
• Doesn’t apply to internal CA’s
CAA DNS Records
20. #AllAccessIT#AllAccessIT
• Nothing bad about internal CA’s – as long as they are only used for
internal services/servers.
• Internal CA’s become bad when used by people who don’t
automatically get the trusted root cert.
• Great for testing out cert process and securing things that are
often ignored.
• Watch your cert validity times!
Internal CA’s
21. #AllAccessIT#AllAccessIT
• Extended Validation
• Provides additional validation for the owning company, “proves”
the site is legitimate
• The company has to go through it’s own validation process with
the CA
EV Certificates
23. #AllAccessIT#AllAccessIT
• Anytime a change is made to a web config or a cert, run the site
through qualys free HTTPS tester.
• A scan takes about 10 minutes to run.
• Reports are by default, public.
Qualys free cert check
26. #AllAccessIT#AllAccessIT
Get people used to certs everywhere and to not ignore
warnings.
Let’s encrypt has great automation.
Keep copies of secure web server configs.
There are tools out there to help
• Qualsys SSL analyser
• Scott Helme’s securityheaders.io
If possible, test sites annually and whenever a modification is
made, just in case something breaks the security.
Recap
27. #AllAccessIT#AllAccessIT
Handy Links
Qualys Scanner -> https://www.ssllabs.com/ssltest/
Scott Helme SecurityHeaders -> https://securityheaders.com/
Handy OpenSSL commands -> https://www.sslshopper.com/article-most-common-openssl-
commands.html
Apache Example Header -> https://github.com/gdwnet/apache-ssl-config/blob/master/wiki.conf
The background – I’ve put this together because I’m an IT person who enjoys messing with tech but I want that tech to be secure.
Putting a secure cert on a site isn’t hard, there are a few things to be aware of that help secure a site properly. Sadly, the days of putting a cert on a server and walking away are long gone.
Google recently announced that they will be giving higher page rankings to sites with SSL over plaintext.
Going forward there will be increasing confidence with SSL/TLS enabled sites, browser warnings will be more prominent and harder to click past.
Talk about logwatch on linux and the port 22 attacks.
TLS 1.2 – Vulnerable to Sloth (https://access.redhat.com/articles/2112261) CVE-2015-7575 – Jan 18th 2016 – fixed in patch
This is the first thing that confuses people. TLS 1.0 is newer, better, faster than SSL 3.0
Interesting story about TLS. IIS crypto will disable TLS 1 which didn’t please our devs as they use that for deployments due to an older version of the .net framework only supporting up to TLS 1.0
Glouster city council found themselves in trouble due to heartbleed. Heartbleed can be defeated by upgrading OpenSSL. Secure certs don’t obviate the need for patching.
EECDH – used for "Forward Secrecy" (or sometimes "Perfect Forward Secrecy") is used to describe security protocols in which the confidentiality of past traffic is not compromised when long-term keys used by either or both sides are later disclosed.
Last line is important, it means that both “military grade” and “bank grade” security is just marketing hype
There are many other headers and the list is growing. Each one provides additional protection
The background – I’ve put this together because I’m an IT person who enjoys messing with tech but I want that tech to be secure.
Putting a secure cert on a site isn’t hard, there are a few things to be aware of that help secure a site properly. Sadly, the days of putting a cert on a server and walking away are long gone.