I know a lot of people struggle with configuring SSL on their web server. A quick trip to Qualys SSL Labs to see the “Recent Worst” validates that. However, there’s a tool that can easily bring your web server up to the best current operating practice.
Check out the Mozilla SSL Configuration Generator. However, before hastily you cut and paste the generated code, take a few minutes to understand the implications between choosing “Modern”, “Intermediate” and “Old”. Modern, which is what this website uses, has the fewest supported browsers but the best security. Old has the most supported browsers and the laxest security; using Old is a terribly bad idea and should really never be done. For many, Intermediate is a nice balance of both browser support and security.
The recommendations from the code generator change often and your should check back regularly to make sure you are still running the best current configuration.
There are also many hints, tips and tricks available at Qualys.
Until recently, there has been little motivation to encrypt websites that do not necessarily need it. However, that has changed. Let’s Encrypt has just disrupted the industry by offering free SSL certificates to anyone. Let’s Encrypt is overseen by the Internet Security Research Group, a California public benefit corporation, whose benevolent agenda includes securing the Internet at large. Bravo! We will post about using Let’s Encrypt in the near future.
If you now have a certificate from Let’s Encrypt and some very secure configuration, it’s now time to force your users to use HTTPS/443, while maintaining backwards compatibility so that users clicking on Google search results won’t receive a server timeout message when connecting to your now legacy HTTP/80. Check out our earlier post on how best to do this.
Additionally, make sure your SSL certificate is SHA-2, or all the above security implementations could be for naught. All Let’s Encrypt certificates are SHA-2/SHA-256. Read this Ars Technica article and this SSLs.com blog post for more information on transitioning to SHA-2. All certificates issued after January 1st, 2016 are required to be SHA-2. Never hurts to double check this however. Most certificate authorities are now also reissuing your old, but still valid certificates, as SHA-2 at no charge.
There’s a very quick check you can do to check whether your certificate is SHA-1 or SHA-2 available at shaaaaaaaaaaaaa.com. Happy to report that this website received the ever-so-desirable “Nice” rating.