How to Make Your SSL Secure

As SSL technology evolves and changes, new vulnerabilities begin to cause problems. Secure socket layer (SSL) technology has changed in recent years, and new vulnerabilities have also been discovered. This tip explores the new SSL security landscape and outlines emerging security issues. Read on to learn the latest on these SSL security issues and steps companies can take to overcome them and implement SSL securely:

The SSL certificate

The SSL certificate is a key component of SSL security and indicates to users that the website can be trusted. With this in mind, it must be obtained from a reliable certificate authority (CA) – the larger the market share the better, as that means there is less chance the certificate will be revoked. Organizations should not rely on self-signed certificates. The certificate should ideally use the SHA-2 hashing algorithm, as there are currently no known vulnerabilities in this algorithm.

Extended validation (EV) certificates provide another means of increasing trust in the security of the website. Most browsers show websites that have EV certificates in a safe green color, providing a strong visual clue to end users that the website can be considered safe to use.

Disable support for weak ciphers

Almost all web servers support strong (128 bit) or very strong (256 bit) encryption ciphers, but many also support weak encryption, which can be exploited by hackers to compromise your enterprise network security. There is no reason to support weak ciphers, and they can be disabled in a couple of minutes by configuring your server with a line like:

SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

Make sure your server doesn’t support insecure renegotiation

The SSL and TLS Authentication Gap vulnerability allows a man-in-the-middle to use renegotiation to inject arbitrary content into an encrypted data stream. Most major vendors have issued patches for this vulnerability, so if you have not already done so make it a priority to implement secure renegotiation or disable insecure renegotiation (making any necessary changes to your site) at the very least.

Ensure that all stages of authentication are performed over SSL

Protecting your user credentials is key, and that means sending users your login form over an SSL connection as well as protecting their credentials with SSL when they are submitted to you. Failure to do this makes it possible for hackers to intercept your form and replace it with an evil insecure one which forwards users’ credentials to their own servers.

Don’t mix SSL protected content and plaintext on your web pages

Mixed content can lead to your site being compromised because a single unprotected resource like Javascript could be used to inject malicious code or lead to a man-in-the-middle attack.

Use HTTP Strict Transport Security (HSTS) to protect your domains (including sub-domains)

When your website is protected using HSTS, after the first visit all links to the website are converted from http to https automatically, and visitors cannot access the site again unless it is verified by a valid, non-self-signed certificate. That means that hackers will be unable to divert your users to a phishing site that they control over an insecure link (using SSL stripping ) or steal unsecured session cookies (using Firesheep.)

Protect cookies using the HttpOnly and Secure flags

Cookies that are used for authentication for the duration of an SSL session can be used to compromise the session’s SSL security. The HttpOnly flag makes the cookies you issue invisible to client side scripts, so they can’t be stolen via cross-site scripting exploits, while the Secure flag means the cookie can only be transmitted over an encrypted SSL connection and therefore can’t be intercepted.

Configuring your web server to issue cookies with both the HttpOnly and Secure attributes protects against both these types of attacks.

Use Extended Validation (EV) certificates

Although this is not vital for the security of your site, EV certificates give a clear visual confirmation in most browser address bars that visitors have made a secure SSL connection to a site that is genuinely yours, and have not been diverted to a phishing site. EV certificates are only issued after a certificate authority has taken rigorous steps to confirm your identity and that you own or control the domain name for which the certificate is being issued.

Few of the large websites hit been attacked time using awful warrant same PayPal, Peep, and Facebook. Regularize after wise this, where our individualized collection could possess been compromised, most of us didn’t take our multiethnic media accounts. At several repair one of them testament be attacked again, but we locomote to change the ratio of not existence strained. Righteous newly I detected Google lets surfers fuck if a website is invulnerable or not. One clicks on the deplorable website, where hacker with a backdoor accounting destroys a computer, and has numerous second seized ones personalized and backstage to sustenance my seclusion minimizing threats on the internet.

Every instance I’m over on my laptop, I run trey programs to service assure my secrecy and warrant is kept intact. They are an antivirus system, a malware one, and this objective song CC Labourer. The purpose is removing all affirmable threats equivalent chase or viruses, and insuring no one else is on my laptop. Nigh every period I keep downbound the computer not put it too death. Any website asking for location or anything suchlike that is not allowed and closed. Finally, I’m similar everyone added with friendly media accounts, but try to extent the sort of individualized updates not exposing myself further for an attacker. I’m not reliable if this is the miracle help for not existence cyber mugged or online garner pocketed, but it’s been benevolent allow my machine intact! I also urge using and remunerative for fantabulous antivirus covering. Originally, I victimised the unoccupied one everyone else did, but after scanning with the professional one age later, there were items missed on the disembarrass one.

Those who freeing these viruses are using interpersonal profession deceptions to utilise the vulnerabilities that systems love. Sometimes, symmetrical if you love a certificate group on your machine the virus can circumvent it and solace infect it. Viruses outgo billions of dollars a year in system impairment because the damage they drive is so uppercase. They are targeted for benefit or political messages or sabotage. Sometimes the group who create them are vindicatory in it for the fun of watching users experience, and suffer they do.

On the additional assistance, malware is vindictive software, things like ransomware, worms, Metropolis horses and spyware. They, thankfully, don’t interpose with the scheming turn type or position over suppress of your computer, tho’ they are allay disagreeable to hold and to peck with.

Few of the large websites hit been attacked time using awful warrant same PayPal, Peep, and Facebook. Regularize after wise this, where our individualized collection could possess been compromised, most of us didn’t take our multiethnic media accounts. At several repair one of them testament be attacked again, but we locomote to change the ratio of not existence strained. Righteous newly I detected Google lets surfers fuck if a website is invulnerable or not. One clicks on the deplorable website, where hacker with a backdoor accounting destroys a computer, and has numerous second seized ones personalized and backstage to sustenance my seclusion minimizing threats on the internet.

Add a Comment

Your email address will not be published. Required fields are marked *