SSL Configuration Best Practices Part 3: Cipher Security Configuration

Secure Sockets Layer (SSL) configuration is a critical component of defending publicly accessible web applications against man-in-the-middle and other attacks. This third of a three-part series on SSL configuration best practices explores server protocol and cipher configuration.

How Do Server Protocol and Configuration Relate to Cipher Security?

Hardening your server’s protocol and cipher configuration helps ensure that attackers don’t have an easy avenue for breaching your security wall. These configuration best practices are ever changing to meet the constantly evolving threat landscape, so it is a good idea to think of protocol and cipher configuration—and security in general—as a continuous exercise in vigilance.

What Are Server Protocol and Cipher Configuration Best Practices?

The Open Web Application Security Project (OWASP) provides SSL server protocol and cipher configuration best practices through the following rule recommendations:

  1. Only Support Strong Protocols. Weaknesses have been identified with earlier SSL protocols; hence, SSL versions 1, 2, and 3 should no longer be used. The best practice for transport layer protection is to provide support for only the TLS protocols.
  2. Prefer Ephemeral Key Exchanges. Ephemeral key exchanges mean a compromise of the server’s long-term signing key does not compromise the confidentiality of past sessions.
  3. Only Support Strong Cryptographic Ciphers. Modify the server to ensure that only strong cryptographic ciphers are selected, disable the use of weak ciphers, and configure the ciphers in an adequate order.
  4. Support TLS-PSK and TLS-SRP for Mutual Authentication. Use Password Authenticated Key Exchanges (PAKEs) to remove the need for trusting third-parties such as Certification Authorities (CAs).
  5. Only Support Secure Re-negotiations. A design weakness in TLS allows an attacker to inject plaintext into a TLS session. You can mitigate this issue by disabling support for TLS re-negotiations or by supporting only re-negotiations compliant with RFC 5746.
  6. Disable Compression. A known exploit against the data compression scheme allows an adversary to recover user authentication cookies that the attacker can then use for session hijacking attacks.

How Does Penetration Testing Help Ensure Server Protocol and Cipher Configuration Best Practices?

Penetration testing is one way to ensure your server protocol and cipher configuration is secure. A knowledgeable and experienced third-party penetration testing expert can help identify strengths and weaknesses in your SSL/TLS configuration before an attacker does.

Strong Configuration Withstands Penetration Testing

A strong and secure server protocol and cipher configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications that handle sensitive data or perform critical operations. Garner the help of a trusted penetration tester to make sure your systems are as secure as possible. Contact Security Pursuit today for your free consultation and analysis of your organization’s SSL/TLS configurations.