Sat 19 May 2018

Checking and improving website's SSL strength

In the HOWTO Install and Configure a Shibboleth IdP I have found a link to the SSL Labs' tests, with a deep analysis of a website's SSL configuration.

Beyond analyze the main characteristics of the SSL certificate, these tests

list the protocols and the ciphers supported
simulate the handshake of a large number of browsers, reporting the protocol and cipher used
detect the behavior related to the main security issues.

So I could go a little deep on Forward Secrecy and DNS Certification Authority Authorization, that is mandatory for all CA since september 2017.

Forward Secrecy

To avoid that a compromised long-term encryption key causes the consequent compromise of all session keys generated starting from it, it is necessary:

drop obsolete SSL versions
give priority to the safest ciphers, eliminating those most at risk.

As stated in digicert documentation you need to add the highlighted lines in your apache configuration:

         SSLEngine on
+
+        SSLProtocol all -SSLv2 -SSLv3
+        SSLHonorCipherOrder on
+        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
+
         SSLCACertificateFile  ...

DNS Certification Authority Authorization

The history of RFC6844 began as Internet Draft in october 2017; the defacement of some CAs in 2011 was not enough to bring out this work, perhaps still immature (it will become RFC in 2013), until in 2017, [it was made mandatory for all CAs] (https: //blog.qualys. com / ssllabs / 2017/03/13 / caa-mandated-by-cabrowser-forum)

The addition of the new DNS Resource Records CAA (type 257) let you to protect your domain by specifying:

which CAs are authorized to issue certificates for the domain
which CAs are authorized to issue wildcard certificates for the domain
who must be notified of requests that violate the published conditions

CAs, when receiving a certificate request for a domain protected by DNS CAA, must check if they are authorized to issue the certificate, otherwise notify the domain owner using the method published in the CAA record.

The configuration of CAA records is very flexible: it is possible, in fact, to allow multiple CAs to issue certificates for the entire domain, or specify that some less expensive CAs can issue certificates for the domain, but that some hosts must have certificates issued by other more expensive and secure CAs.

A Rated

Thanks to these suggestions, the ranking of this site has gone from B to A.