It is now 2017 and we no longer live in a plain text world by default. Chrome has started informing us that http is not secure and the push for TLS based browser connections is accelerating faster than ever. Modern compute (even in the mobile space) has become so fast that the previous issue of overhead due to TLS connections is far less of an issue today. Free services like letsencrypt.org are eliminating the financial barriers preventing a ” TLS by default” model. Recognizing that and with rate of new breaches surfacing every day you know that you need to secure your web property.
Ok, so, you’ve opened port 443 on your firewall, you’ve generated your certificates, you’ve installed them, and you’ve protected your private keys (If not, stop reading do that and come back. We’ll wait..) You refresh and the page comes up on https! Website secured right? Well, maybe. As with most things the answer is still, “It depends.” Before we get into that ramble, make sure that once you have enabled your secure platform, you properly disable your clear text http access both at the server and the firewall. All the security in the world doesn’t mater if you lock the door but leave the windows open.
Anyhow, as I was saying, “It depends….” In this case it depends on a number of factors but the most frequent concern is typically backwards compatibility. That is balanced on the other end of the spectrum with “total security” (which is a myth but we sure try hard.).
In this case backwards compatibility is important because we want people to be able to access our site without having issues. Impressions are so valuable we don’t dare risk missing out on a reader or a transaction just because we didn’t support their browser technology. Those who want “total security” will achieve this at the cost of compatibility and complexity. The transactions will be secure but only those using the most modern technology will be able to “understand” the crypto that is required for this level of security. Depending on what your risk tolerance is and the sensitivity of the information you are trying to protect will help define “how secure do I need to be?”. Common sense also goes a long way.
If you are a retail web property with many users spread across the globe you need to (potentially) accept more of the legacy browsers/protocols when compared to securing a point to point connection between two servers. In the case of two servers, you know what’s on both ends of this connection, opt for the most secure option that both sides support that performs within the tolerance of the system.
A great site explaining the various configuration options can be found at the mozilla.org wiki.
The configuration generator is unbelievably useful if you are using Apache, Nginx, Lighttpd, HAProxy, or AWS ELB.
For a new deployment I will go to the configuration generator and start with a “Modern” profile and deploy those options and wait for feedback from the users. If there are no problems, awesome, gold star.
Sometimes backwards compatibility becomes an issue in corporations who have manufacturing and engineering equipment that are expensive, specialized, and don’t support the newer protocols. Compatibility issues also can arise in parts of the world where modern technology is not immediately available or affordable. In these cases you can use the configuration generator to work backwards to determine your most secure common protocol.
Other times you will be faced with an old server that “can’t be upgraded, moved, retired, rebooted…” yeah, you know the one…
In this case you can use the configuration generator to put in your server and SSL version and generate the best options that you can based on that. In these cases it’s also recommended to isolate the connections to these systems using a firewall or equivalent technology. Defense in depth…
Be sure to check out my post SSL, TLS, and Ciphers: OH MY! for more information about secure server configuration.
As with any set of changes, once you’ve implemented you need to verify. You can read about about my preferred tools for the job in my post: Beware the False Negative – SSLv2 Detection Issues
Have some feedback about this ramble? Let us know in the comments or find me on Twitter @JaredGroves