SSL/TLS best practices for websites

Keeping Secrets

7. OCSPStapling

The stapling extension of the online certificate status protocol (OCSP) allows operators of a website to offer call-back information for certificates on their own server. Without stapling, a client must contact the CA to ensure that a certificate has not been revoked. Stapling makes the site faster; users do not need to tell the CA which pages they are visiting, and the site is independent of the performance of the CA's OCSP responder.

8. DamageMitigation

As with any software, the risk of serious security gaps is also possible in the TLS/SSL stack. In most cases, you can stuff the holes with patches. In the interests of security, you should familiarize yourself with the main attacks against transport encryption: Beast, Crime, Time, Breach, RC4-Bias, Lucky 13, and the Triple Handshake attack.

9. Heartbleed

A vulnerability in the widespread free crypto library OpenSSL, named Heartbleed, has been known since April 2014. Heartbleed has nothing to do with cryptography itself but was caused by a programming error. The consequences for a vulnerable server are devastating, because attackers can grab the private key through the hole. Ready-made attack tools are available on the Internet for downloading; every server operator should thus be familiar with Heartbleed.

Admins must adhere to the following steps when they discover that their servers are vulnerable to Heartbleed:

  • Update the affected systems to close the gap.
  • Generate new private keys, procure new certificates, and revoke the existing certificates.
  • Replace the ticket key if session tickets are used.
  • Assess whether other confidential data was stolen due to the vulnerability. For example, passwords might have been in memory areas that were read. If so, notify the users and ask them to change their passwords.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • What's left of TLS
    Numerous attacks have rocked the security of SSL/TLS encryption in recent years. Newer standards would remedy this, but they are not widely used.
  • Transport Encryption with DANE and DNSSEC
    Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.
  • Many approaches help secure a web server
    We submit an Apache web server to the Qualys SSL Server Test and look at how to protect against data theft with a combination of TLS by way of Let's Encrypt, SELinux or AppArmor, a firewall, and restraining your web server's verbosity.
  • TLS 1.3 and the return of common sense
    After a decade in service, TLS 1.2 is showing many signs of aging. Its immediate successor, TLS 1.3, has earned the approval of the IETF. Some major changes are on the way.
  • Setting up SSL connections on Apache 2
    To spoil the day for lurking data thieves, Apache administrators only need three additional directives – and a handful of commands.
comments powered by Disqus