Is Your Website’s SSL Vulnerable?
In this tutorial, I’ll walk through how to check your website’s HTTPS SSL certificate for common vulnerabilities and I’ll also provide some steps to easily mitigate common issues.
Check Your SSL Certificate Using The Qualys Online SSL Test
What are you waiting for? Go scan your website for weak ciphers, outdated SSL versions, certificate chain issues, and more! Firstly, Take The Qualys SSL Test (feel free to check Joscor.com as a reference website).
Review & Response
Here we will cover some mitigation steps to help secure your HTTPS website.
SHA1 Signature Algorithm (weak/deprecated algorithm)
The Problem
The SHA1 hash algorithm is being deprecated because it’s now considered too weak for modern security. What set the tech world on fire was that Google has announced they will start penalizing websites that use this insecure hash algorithm for their SSL certificates.
Read The Qualys SHA1 Deprecation Report Here.
The Solution
Luckily, most SSL vendors saw the signs long ago and now support SHA2 hashes for their SSL keys. The only way to “fix” a SHA1 SSL key is to have it re-keyed by the SSL vendor. For instance, if you have an SSL certificate from GoDaddy, you will need to create a new SSL Private Key, create a new CSR, give that to GoDaddy, then they will issue you a fresh certificate that uses SHA2 algorithms.
GoDaddy – SHA-2 Transition Guide
Weak Cipher Strength
The Problem
You’re allowing clients to connect to your HTTPS server using insecure, outdated SSL ciphers.
The Solution
If you’re using the Apache2 web server, open your active site’s configuration file (/etc/apache2/sites-enabled/.conf) and add/update the following configuration parameters. This will limit the types of available SSL ciphers to only modern and secure ciphers.
SSLHonorCipherOrder On # This list should be ":" delimited with no spaces. SSLCipherSuite EECDH+ECDSA+AESGCM :EECDH+aRSA+AESGCM :EECDH+ECDSA+AES+SHA384 :EECDH+aRSA+AES+SHA384 :EECDH+ECDSA+AES+SHA256 :EECDH+aRSA+AES+SHA256 :EECDH+ECDSA+AES+SHA1 :EECDH+aRSA+AES+SHA1 :EECDH+ECDSA+3DES+SHA1 :EECDH+aRSA+3DES+SHA1 :EDH+DSS+AESGCM :EDH+aRSA+AESGCM :EDH+DSS+AES+SHA384 :EDH+aRSA+AES+SHA384 :EDH+DSS+AES+SHA256 :EDH+aRSA+AES+SHA256 :EDH+DSS+AES+SHA1 :EDH+aRSA+AES+SHA1 :EDH+DSS+3DES+SHA1 :EDH+aRSA+3DES+SHA1 :aRSA+AESGCM :RSA+AES+SHA256 :RSA+AES+SHA1 :RSA+3DES+SHA1 :!aNULL:!MD5:!DSS
Protocol Support
The Problem
You’re allowing web clients to connect to your HTTPS server using outdated SSL protocol versions (SSL2, SSL3). Do your research before enabling this security feature as removing SSL3 support from your website will cause your website to reject requests for legacy web browsers such as Internet Explorer 6.
To the contrary, if your server does not support the latest TLS 1.2, you should upgrade your web server’s SSL version to the latest.
The Solution
If you’re using the Apache2 web server, open your active site’s configuration file (/etc/apache2/sites-enabled/.conf) and add/update the following configuration parameter. This will limit the types of available SSL protocol versions to only modern and secure versions (TLS 1.0+).
SSLProtocol all -SSLv3 -SSLv2
HTTP Strict Transport Security (HSTS)
The Problem
If your site is forced-HTTPS (as in, you don’t allow non-SSL traffic), then you will want HSTS to ensure all traffic is appropriately secured.
The Solution
Add the following line of code to your Apache2 website’s active config file (/etc/apache2/sites-enabled/.conf)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
For other web browsers, and more additional information on HSTS, check out this OWASP HSTS article.
Have a suggestion? Additional measure to secure the SSL/HTTPS on a web server that I missed? Please, leave a comment! I’m always eager to hear new ways on how to secure a web server.