In a rapidly changing information security landscape, securing your web communications is no mean feat.
All cryptographic standards provide a degree of security based on current and projected computational power. However, given enough powerful resources, all systems can be broken and rapid advances in computation power and techniques accelerate this process.
In short, cryptography will always be an arms race.
This article will take you through everything you need to know about information security, the different kinds of cryptography available, the different vulnerabilities and how to mitigate them, and best Practices for Securing Web Communications using SSL and TSL.
Ready to secure your web communications? Let’s dive in…
There are five main implementations of asymmetric cryptography in use across the internet. They are SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2.
These implementations are commonly understood to be part of SSL, but there is a difference between SSL and TLS.
All versions of Secure Sockets Layer (SSL) are now widely considered to be insecure and should only be used where legacy applications require its use.
Transport Layer Security (TLS) 1.2 and ‘enhanced implementations’ of 1.0 + 1.1 are now the de-facto method of securing web communications.
The decline of SSL has been accelerated by widely publicised vulnerabilities in SSLv3 in 2014, aka POODLE. Advice from Linux vendors is to turn off SSLv3 whenever possible. Furthermore security researchers are also seeing cracks in early implementations of TLS.
As Adam Langley warns in his article The POODLE bites again:
“This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken.”
Encryption is considered cryptographically broken if advancements in techniques or computational power make it feasible to decrypt. Alternative methods of breaking encryption involves influencing selection of key ciphers and creating patterns in cipher text and these techniques continually evolve.
SSL is now considered broken as a result of padding attacks and weak ciphers, consequently SSLv2 and SSLv3 will not be discussed any further. Users of End of Life (EoL) operating systems and browsers are already experiencing issues with HTTPS enabled services and this subset of users is rapidly vanishing.
TLS 1.0 and TLS 1.1 have known issues and those issues are best visualised in the following table. Although there are known issues with these standards; updates designed to mitigate effects have been included within the latest versions of web servers, OpenSSL and browsing software.
To enjoy the assurance of full HTTPS security TLS 1.2 is highly recommended.
Image: Cipher security against publicly known feasible attacks
Server Name Indication is an integral part of TLS, as the name implies the client specifies which common name it wants to connect to as part of the handshaking process. This allows the server to select the appropriate certificate for the connection.
With the advent of POODLE vulnerabilities, SSLv3 should no longer be in use which has paved the way for the widespread adoption of SNI. The exception is where old clients are required to connect to legacy systems, otherwise all connections should be TLS whenever possible.
Older browsers, primarily IE 6, 7 and 8 running on Windows XP, will receive certificate errors when connecting to SNI or TLS only servers. The data on W3schools suggests this will be a subset of the remaining 1.4% of IE 7 and 8 users.
Let’s Encrypt is another important change and great for development, small and internal websites. And the free certificates it provides also deserve a mention.
Many suggest this is helping to lead the charge of HTTPS adoption, alongside Google who now prioritise HTTPS websites.
Here are 10 quick ways for your business to secure its web communications using SSL and TSL:
More generally, you should be looking to update machine templates to use newer versions of web servers and OpenSSL.
You should also:
If you want to find out more about Secure Web Communications with SSL and TLS, here are some recommended articles:
Download our information security whitepaper, The Security Mindset, to realise the benefits of information security for managed cloud services.