SSL/TLS best practices for websites

Keeping Secrets

10. HTTP

Although SSL and TLS have been developed to secure any connection-oriented protocol, the most important need was that of protecting HTTP. Still today, encrypted access to websites is the most common use for TLS. However, the web has evolved from a simple system for the delivery of documents to a complex application platform.

10.1 No MixedContent

Encryption is not included in the HTTP repertoire. Therefore, many websites do not use encryption. Often the reason is the extra effort and the expertise required. Additionally, some web browsers complicate the situation by allowing providers to mix secure and unsecured content within an HTML page.

For security reasons, it is best to set up transport encryption for the complete domain name, including its sub-domains. The use of HTTP Strict Transport Security (HSTS) also prevents mixed content from the same domain, and Content Security Policy prevents insecure content from third parties.

10.2 CookieSecurity

HTTP cookies that the developer do not declare as secure, rip a hole in the security concept. An attacker on the network can still read cookies on fully encrypted websites. A point that deserves special attention in quality assurance of web projects. Also, casual cookie rules allow an attacker to inject cookies into other web applications.

An attacker will typically use an application on a related subdomain; that is, attack www.example.com through blog.example.com or use a fictitious subdomain. Although this technique does not give the attacker confidential information, a skilled attacker might be able to elevate their privileges through the application.

As an antidote, cookie encryption or integrity checking is recommended. Although cookie encryption is more secure, you can use integrity checking as alternative if the cookies need to be readable for JavaScript.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • What's left of TLS
    Numerous attacks have rocked the security of SSL/TLS encryption in recent years. Newer standards would remedy this, but they are not widely used.
  • Transport Encryption with DANE and DNSSEC
    Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.
  • Many approaches help secure a web server
    We submit an Apache web server to the Qualys SSL Server Test and look at how to protect against data theft with a combination of TLS by way of Let's Encrypt, SELinux or AppArmor, a firewall, and restraining your web server's verbosity.
  • TLS 1.3 and the return of common sense
    After a decade in service, TLS 1.2 is showing many signs of aging. Its immediate successor, TLS 1.3, has earned the approval of the IETF. Some major changes are on the way.
  • Setting up SSL connections on Apache 2
    To spoil the day for lurking data thieves, Apache administrators only need three additional directives – and a handful of commands.
comments powered by Disqus