SSL / TLS Security in the real world!

SSL / TLS Security in the real world!

Best practices for SSL / TLS security for websites for maximum Security and optimal compatibility.

In my previous article available here I have mentioned what SSL / TLS configuration you should implement if you can control what browsers / OSes your end users are using. However for internet facing sites it will leave a large number of users unable to access your site.

Many of the recommendations will be similar to my earlier article but we will enable a few things which would increase compatibility dramatically.

So lets get started! Real world SSL Security

Features to be enabled

  1. SSL v2 and v3 should be disabled (Protect against BEAST and POODLE attack)
  2. TLS v1.0, v1.1 and v 1.2 should be enabled (TLS v1.0 for maximum compatibility, however can increase risk from BEAST)
  3. TLS compression should be disabled (Protect against CRIME attack)
  4. Secure Renegotiation should be enabled
  5. Forward Secrecy should be enabled

Ciphers:

  1. All ciphers below 128 bit should be disabled
  2. ECDHE based ciphers should be prioritized
  3. RC4 based ciphers should be disabled
  4. The following Ciphers should be enabled and given highest priority.
  5. Disable all Export Ciphers

This is also my current configuration, so you can use it to test the configure on older browsers/devices to check compatibility.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Apache SSL config

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Browser and OS Compatibility

  • Android 2.3 or later. Older OS support maybe present.
  • IE 7 / Vista or higher
  • Safari all versions on OS X or iOS
  • Google Chrome all versions
  • Mozilla Firefox all versions
  • Opera version 5 onwards

Related Posts

No results found.

Have something to add?

Loading Facebook Comments ...
Loading Disqus Comments ...