Top 7 TLS/SSL best practices – An easy guide to make encryption unbreakable
The words “encryption”, “SSL” and “HTTPS” is associated with strong security. Many of us feel that if our servers are SSL enabled, your data is secure.
Well, that’s not always the case. If not configured correctly, encrypted communication can be broken.
Here are a few TLS/SSL best practices to help you lock down your encrypted communication.
1. Use only valid CA certificates (No self-signed certs)
Let’s say your site has a certificate called Cert-A. Your customers encrypt their data and send it to you using Cert-A.
What if someone replaces Cert-A with a fake Cert-B (everything looking the same) while it’s on the network? Your customer will encrypt their data using Cert-B, which can then be read by the attacker. This is called a Man-In-The-Middle (MITM) attack.
Your customer’s browser prevents MITM attacks by checking who created the certificate. If it was created by a company trusted by the browser (there are only about 174 of them), the browser shows a green light.
The issue with self-signed certificates
If you create your own certificate, your customer’s browser can’t verify who created it, and will show an error.
If your customer goes ahead with the transaction anyway, there’s no way for the customer to know if an attacker has replaced your self-signed cert with a fake cert (which will also show the same error).
If an attack like that happens, and your customer loses sensitive information, guess who’s gonna get the bad name? You.
So, it is always best to get a valid CA certificate for your site. And it need not be expensive. There are free options these days, like Let’s Encrypt.
2. Use minimum 2048-bit encryption
The average PC now has many times more power than what we had 5 years back. So, theoretically, it is possible for an attacker to break certificates of strength 1024 bit or less.
So, it is best to use minimum 2048 bit encryption for your certificates.
3. Disable SSL v2, SSL v3
Encrypted connections are popularly known as “SSL connections”. SSL or Secure Sockets Layer is an encryption protocol developed by Netscape way back in 1995.
While it served the internet well for 20 odd years, it’s now found to be riddled with a few serious vulnerabilities like DROWN and POODLE.
So, it is best to disable these protocols from your system.