Tips and Tricks
For optimal use of an SSL certificate, it takes more than the purchase of a certificate and its installation. It often happens that the installation is not done properly and that the server settings are not optimal. This results in a website remaining vulnerable, and thus the data being exchanged. Here are some tips that make the use of SSL a lot safer.
The private key
The private key is known only to the owner of the certificate. In wrong hands it can lead to abuse - to decrypt and monitor data-traffic. Make sure that the private key is kept in a safe place, secure the file with a password, create a backup and refresh the private key (and thus the certificate) regularly.
Check the installation of the certificate
With our SSLCheck you can check:
- If the certificate, and the CA root and intermediate certificate are installed correctly. These root certifcates ensure that the certificate is trusted by browsers and applications.
- The properties of the certificate. The current standard is a minimum of 2048-bit RSA, or when visitors are using modern browsers, ECC. The algorithm for signature must be SHA-2. Does a certificate not meet these requirements? A free reissue of your certificate will solve this.
Make sure the server supports the latest versions of the TLS protocol. The protocols from which SSL certificates derive their name, SSL version 1 and 2 are now unsafe. Turn SSLv2 and SSLv3 therefore in your server configuration so that only the newer TLS protocols will be used, and attacks like Poodle won't occur.
Perfect Forward Secrecy
In addition to the protocols you can select which algorithms are to be used to communicate with the browser. One of the things that is supported by a good algorithm is perfect forward secrecy (PFS). PFS ensures that the temporary session key that is created for communication between the browser and the server, cannot be decoded with the private key on a later moment in time. This means that all traffic that someone would capture now, can no longer be deciphered in the future if someone gains access to the private key used.
Secure the entire site with SSL
Ensure that the entire website is secured using SSL, not just the pages where customers leave data. This ensures that during switching from unsecured to secured pages within the website no data can be intercepted. In addition it suppresses the browser alerts on mixed-content. Google encourages the use of SSL on the whole website by rewarding it with a possible higher ranking. Be careful with changing the configuration to ensure that the modification will not be at the expense of discoverability and performance of the website.
For checking the status of a certificate, to see if it might has been revoked, browsers make use of the OCSP and CRL data from the CA. This status information can be transferred by your own webserver too. This so-called OCSP stapling works by having your own webserver contacting the CA's OCSP servers, and caching this information. The webserver then transfers this cached response to the client on visiting the website, and therefore makes it unnecessary for the client to get this information in a second connection from the CA, making the response overall quicker.
More control over your certificates
A quite often used technique to gain more control over which certificate a website or applicaton uses, was Public Key Pinning. Early 2018 Google has announced to stop supporting Public Key Pinning because there are now better alternatives - using Certificate Transparency in combination with CAA records, for example.
When using SSL certificates there is always a risk of revocation, for example due to compromise of the private key or because of unexpected, external situations. In many cases, a CA is required to withdraw certificates within 5 days or even 24 hours in order to continue to comply to the rules. To prevent frequently visited websites or critical applications from becoming unreachable, or if you need a lot of replacement time because of the systems you use, it is advisable to request backup certificates from another CA and root certificate for these applications. If something unexpected happens, you can immediately replace the affected certificates. For more information about the possibilities, please contact us.
Forcing secure connections
A step further than having the whole website available via HTTPS, is forcing the use of HTTPS only. Multiple methods are available to achieve this, like redirecting the visitor from the HTTP version to the HTTPS version. To prevent that a visitor will still be redirected to an unsecured page, you can enable the HTTP Strict Transport Security feature on the webserver. When a visitor has visited your secured website, it receives the HTTP Strict Transport Security header in the browser, and therefore remembers that the website can only be accessed through SSL.
Check the result
On https://www.ssllabs.com/ssltest/ you can check if the SSL connection configuration is secure enough. The goal here is to get at least an A rating.