An essential part of the internet chain of trust is Secure Sockets Layer (SSL) (technically referred to now as “Transport Layer Security” or “TLS”). SSL/TLS is the standard security technology for establishing an encrypted link between a web server and the client browser or application. CAs serve as the intermediaries of that trust by issuing and selling digital SSL certificates which are used to encrypt and secure web sites, as well as transactions, APIs, and SKIs. These technologies and protocols are well understood, widely adopted, and hugely scalable. This level of success has attracted the attention cyber criminals and hackers. The security ecosystem will continue to innovate to thwart future forms of attacks with new developments like TLS 1.2 and beyond. The following is a summary of best practices to help organizations optimize their SSL security.
SHA-1 End Of Life - A few weeks ago Google announced that Chrome 40 (to be released after the holidays) will warn users about any site using a SHA-1 SSL certificate that expires after December 31, 2016. Other upcoming versions of Chrome will have a yellow warning symbol for sites using SHA-1 certificates expiring in 2016. This follows Microsoft’s announcement last year that it would curtail support for SHA-1 SSL Certificates after January 1, 2017. If you are currently using SHA-1, stay ahead of these changes by contacting your Certification Authority to re-issue and update your existing certificates.
- CA Security Council - Support SHA-256 Hashes in SSL
- Google SHA-1 Deprecation: Are You at Risk? (Symantec)
- Symantec SHA-1 information page
DV Certificates - Is your site using DV certificates? Domain validated SSL certificates (DV SSL) are server security certificates that provide the lowest level of validation available from commercial Certification Authorities. Recent research has shown that such certificates, while easy to get and inexpensive, are being used broadly by phishing and look-a-like web sites. As a best practice OTA suggests sites upgrade to Organizational Validation (OV), High Assurance or Extended Validation SSL Certificates (EVSSL), which require additional validation processes and controls.
Always On SSL & Perfect Forward Secrecy - March 5, 2014 (Symantec webinar)
Speakers - Symantec Trust Strategist Jeff Barto, OTA Executive Director Craig Spiezle & Akami Chief Architect Stephen Ludin
Always On SSL / HTTPS Everywhere (AOSSL)
We increasingly live, interact, and do business online, making online trust and information security more important than ever before. From gathering information, sending email and visiting popular social networking sites, to purchasing products and conducting online banking, it is more important than ever that people’s experience online is one of confidence and safety. Online trust involves a system for securing the communications with websites that end-users visit. At the root of secure web sites are securely installed SSL certificates, which for nearly two decades have helped build trust on the public Internet.
Given the important role of Certificate Authorities (CAs) in online trust, it is important for the public to understand their dedication to the highest industry standards. The threat landscape will continue to change in focus from year to year, but the driving principles of how to apply technology, and how to do business in a secure fashion are of driving importance to all the members of the OTA. Proper implementation of SSL, best practices of the CAs issuing the SSL Certificates, and a constant vigilance for how to improve with new threats and technological advances anchors the future of online trust.
HeartBleed Vulnerability Resources & Steps to Mitigate The Risk
In response to the HeartBleed SSL vulnerability, OTA has the following recommendations and third party resources. The HeartBleed bug was disclosed on April 7, 2014, after mistakenly being introduced two years-ago. At this time it is unknown to what if any extent the vulnerability has been exploited. It is important to note it was initially inaccurately reported as Malware, or a problem within the SSL / TLS protocols. Both are false. The HeartBleed bug exists because of a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality and is a server issue.
- Evaluate your server(s) for potential vulnerabilities (use tool from SSL Labs)
- If your site or device is determined to be at risk, upgrade to OpenSSL 1.0.1g. More >
- HeartBleed is a wake up call to the reach of a single vulnerability. Use this as a reminder to Install firmware updates for wireless routers, printers and firewalls. In addition when they become available Install updates for devices running Android 4.1.1 Jelly Bean and Linux desktop distributions.
- Change all admin passwords and issue a user advisory to change passwords AFTER you have patched your servers and devices including mobile devices and routers. You won’t be properly hardened until you change your passwords. It’s your login credentials that give you access to encrypted data transfer on those websites. It is recommended to change your passwords often and never reuse them from one site to another.
- Be careful using public Wi-Fi spots. While coffee shop, shopping, airport and hotel Wi-Fi connections are convenient, these unsecured connections leave you open to attacks and compromise your privacy. When you do use them, set up a virtual private network to secure your Internet traffic.
- Use sites which fully encrypt your browser session, (See Always On SSL)
- To confirm the identity of the sites you are visiting, look for the green address bar or trust icon (See Extended Validation SSL)
- Open Source software while attractive from a development perspective, brings inherent security risks due to the lack of resources to provide ongoing code review and security assessments. Open SSL, OpenX and others have been attractive targets by cybercriminals.
- Check for updates to be installed automatically on clients and servers, including mobile devices.
- Complete ongoing security assessments of customized software applications. They may have embedded third party code which may have vulnerabilities.
OTA Member & Recommended Resources:
SSL Server Implementation Test Tool (SSL Labs)
Revised October 9, 2014