SSL Data Security

    How long have you checked the reliability of your SSL? It’s not enough just to buy an SSL certificate and install it, you need to configure it.

    Why is it important. External security analysis (manual or automatic) usually begins with an SSL configuration check. SSL configuration usually shows the overall level of security of the entire data protection system. Therefore, advanced users start sending requests like “how can you protect my personal data if you still have SSL v3 enabled”. As part of the GDPR, a reliable SSL setting refers to technical measures to protect personal data.

    Testing SSL configuration

    Problems associated with SSL protocol versions:

    • SSL v2 is insecure, outdated, and not recommended for use. See DROWN attack on this protocol.
    • SSL v3 is an insecure and outdated tool. See the POODLE attack .
    • TLS v1.0 is also an obsolete protocol, but in practice it is still necessary. Its main weakness ( BEAST ) has been mitigated in modern browsers.
    • TLS v1.1 and TLS v1.2 both have no known security issues, but only v1.2 provides advanced cryptographic algorithms.


    SSL 2.0, SSL 3.0, and TLS 1.0 are strongly recommended to be disabled, as most security standards have not supported them for a long time (for example, PCI DSS 3.1).

    Recommended protocols are TLS v1.1 and TLS v1.2 with up-to-date encryption and hash removal algorithms.

    SSL configuration analysis

    There is a great SSLLabs Test Tool for testing SSL configuration reliability testing.

    A + and A are the best indicator of SSL configuration. F is the worst level.

    Example SSL test for one of our product sites

    image

    The following is another example of how to quickly check the SSL configuration level using the nmap tool :

    image

    Strong ciphers

    The low level of SSL configuration in most cases is associated with the use of outdated and weak encryption algorithms.

    This resource provides information on how to configure good SSL algorithms on Apache, nginx, HAProxy, etc.

    Configuration on Nginx

    The following is an example of the configuration of web servers on nginx, which increased SSL settings from level B to A + and increased protection systems:

    image

    Configuration on Windows

    Windows Server 2016 and above already have an SSL configuration that complies with current security regulations (for example, SSL v2 and SSL v3 are disabled).

    In earlier versions of Windows Servers (2008, 2012), SSL v3 is still enabled, i.e. you need to manually disable legacy protocols. See Microsoft recommendations:how to disable PCT 1.0, SSL 2.0, SSL 3.0 or TLS 1.0

    We use the IIS Crypto tool , which provides a graphical interface to disable weak ciphers and legacy protocols. This avoids the dangerous manual operation of the Windows registry.

    Using the SSLLabs Test Tool , its tips and features, you can quickly secure SSL / TLS on Windows.

    Real-life SSL configuration example for Windows Server 2012 R2

    image

    Posted by Denis Koloshko, CISSP

    Also popular now: