Select Page

Top 7 TLS/SSL best practices – An easy guide to make encryption unbreakable

Top 7 TLS/SSL best practices – An easy guide to make encryption unbreakable

The words “encryption”, “SSL” and “HTTPS” is associated with strong security. Many of us feel that if our servers are SSL enabled, your data is secure.

Well, that’s not always the case. If not configured correctly, encrypted communication can be broken.

Here are a few TLS/SSL best practices to help you lock down your encrypted communication.

    1. 1. Use only valid CA certificates (No self-signed certs)

      Let’s say your site has a certificate called Cert-A. Your customers encrypt their data and send it to you using Cert-A.

      What if someone replaces Cert-A with a fake Cert-B (everything looking the same) while it’s on the network? Your customer will encrypt their data using Cert-B, which can then be read by the attacker. This is called a Man-In-The-Middle (MITM) attack.

      Your customer’s browser prevents MITM attacks by checking who created the certificate. If it was created by a company trusted by the browser (there are only about 174 of them), the browser shows a green light.

      ssl best practices - green light

      GoDaddy created the certificate of Since GoDaddy is trusted by all browsers, the address bar shows a green light.

      The issue with self-signed certificates

      If you create your own certificate, your customer’s browser can’t verify who created it, and will show an error.

      TLS SSL best practices - self signed error

      If your customer goes ahead with the transaction anyway, there’s no way for the customer to know if an attacker has replaced your self-signed cert with a fake cert (which will also show the same error).

      If an attack like that happens, and your customer loses sensitive information, guess who’s gonna get the bad name? You.

      So, it is always best to get a valid CA certificate for your site. And it need not be expensive. There are free options these days, like Let’s Encrypt.

    2. 2. Use minimum 2048-bit encryption

      The average PC now has many times more power than what we had 5 years back. So, theoretically, it is possible for an attacker to break certificates of strength 1024 bit or less.

      So, it is best to use minimum 2048 bit encryption for your certificates.

      TLS SSL best practices - 2048 bit encryption

      More than 2048 bit encryption (that is 4096 bit) can cause a performance penalty

    3. 3. Disable SSL v2, SSL v3

      Encrypted connections are popularly known as “SSL connections”. SSL or Secure Sockets Layer is an encryption protocol developed by Netscape way back in 1995.

      While it served the internet well for 20 odd years, it’s now found to be riddled with a few serious vulnerabilities like DROWN and POODLE.

      So, it is best to disable these protocols from your system.

      Read : How to fix POODLE vulnerability and disable SSL v2 and v3

      How to fix DROWN vulnerability and disable SSL v2 and v3



For as low as


Get full spectrum infrastructure management services – including setup, monitoring & maintenance.

Never again face a critical business downtime. We keep your servers secured, optimized and updated at all times. Our engineers monitor your servers 24/7 and fix issues before it can affect your customers.


1 Comment

  1. What should one do if you want a SSL certificate for an internal server? The SSL should have a FQDN and public IP right? So how can this be fixed; having a proper certificate for a (large) company internally?


Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.