SSL Security : Primer Series
This is a series of posts for ensuring doing the SSL configuration right way. Just enabling a SSl certificate is not the complete step. It is the basic step. I shall try to cover all steps required to get a A+ on SSLlabs test. I shall structure this series of posts with the right steps in a Later post.
For now,
Basic stuff:
What is SSL Security? Do i need Https or SSL?
Simple Answer: Any data which is exchanged between you( the device) and the webserver( the server providing the service – from rendering a page to providing a Json data service) is open for anybody to read if you do not do so. if you are okay with it( say a basic public site), then there is no issue but if you have any PIII data or any password or any secured information from his username to his flight itinerary, your job as a Provider is to secure it. So, secure the communication leaving your computer.
Cons: Overhead / CPU cycles etc( but we shall discuss that soon enough on how to mitigate it- SSL Termination) / Installation and deployment headaches( really? do you think this is a issue? a 20 mins of server configuration for the security it can provide to your users)
Implementation:
A) Fairly easy, Buy a SSL certificate( starting from hardly $10/year)
B) Install it on your IIS/Apache/Nginx/Node.js( its hardly a 15 mins job. Just ask your server admin. If you need help, anybody can do it for you for a $10.( I shall put down a small post with snapshots later)
C) Use SSL termination at the first edge of web server preferably as soon as it ends public boundry. Maybe Load Balancer is the right place. ( We have a ready to use image which can do so. such for any hardened kernel in our Azure or Amazon Images)
Note: SSL is just a security protocol. Security Protocols enumerate how algorithms should be used and hence your configuration shall have a effect on the same. what it means is basically that SSL protocol determines the different variables which decide the level of encryption for the data on the wire.
Additional Configuration Options:
A) Choosing the right Cipher Suits. Pointing to a page which already provides list of all updated Cipher Suits.
B) SSL Offloading / termination: Please enable this. We are solution providers and not just book keepers. Use CPU cycles efficiently. Put up a Vnet and put all internal communication internal with only one way of data communication. Limited( very Limited) public endpoints and rest all endpoints removed and all internal communication between LB servers can be on http as it is not going beyond your virtual network.
HSTS security:
Enabling HSTS communicates to the client that all the clients using HTTPS are expecting to use HSTS for some more time in the future. What this implies is that downgradation of HTTPS to HTTP becomes more difficult. Normal recommendation is atleast keep this 6-9 months ahead although we recommend to keep it atleast a year.
Setting up HSTS takes a very small amount of time but goes a long way in securing the SSL ( Atleast one of the major ones). Remember the beauty of technology is in its simplicity.
Check out the app.js in node,js
var helmet = require('helmet');
var ONE_YEAR = 31536000000;
app.use(helmet.hsts({
maxAge: ONE_YEAR,
includeSubdomains: true,
force: true
}));
And hello your SSL is a little BYTE more secure today!!!