Secure Sockets Layer (SSL) configuration is a critical component of defending publicly accessible web applications against man-in-the-middle and other attacks. This is the second of a three-part series on SSL configuration best practices. Part two explores SSL server certificate best practices.
What Is a Server Certificate?
An SSL certificate is a file that provides a cryptographic key bound to a company’s information. You install this file on your Web server to set up secure connections between your Web server and a browser, such as Google Chrome or Firefox. This certificate is usually employed to secure data transfer, logins, and credit card transactions—anything you want to keep private.
Server Certificate Best Practices
The Open Web Application Security Project (OWASP) provides SSL server certificate best practices that are useful for review by newbies and experienced IT security staff alike:
- Use strong keys and protect them—current best practice dictates a key size of at least 2048 bits.
- Use a certificate that supports required domain names—if users are regularly presented with TLS error messages, they’re likely to begin to ignore such warnings, creating the perfect setup for attacks.
- Use fully qualified names in certificates—Unqualified and local names or private IP addresses violate the certificate specification.
- Do not use wildcard certificates—they open the door to attacks by asking the user to trust all machines in the domain.
- Do not use private addresses in certificates—These addresses include those assigned by the Internet Assigned Numbers Authority (IANA) such as 192.168/16, 172.16/12, and 10/8.
- Use an appropriate certification authority (CA) for the application's user base—This goes back to the idea that users regularly presented with errors, such as certificates from an unknown certificate authority, are more likely to ignore warnings and fall victim to attacks.
Penetration Testing to Highlight SSL Certificate Implementation Shortcomings
The most effective method used to proactively identify unsecured, expired, or SSL certificates unsigned by a trusted CA is to perform routine automated vulnerability scans of your Web servers. Ensure that your third-party scanning (and/or penetration testing) provider includes these checks by default as they always should. At Security Pursuit, “we provide detailed evidence of our findings, step-by-step procedures showing how attack vectors were successfully executed, as well as actionable steps to improve the enterprise security posture,” including SSL certificate implementation.
The Web isn’t getting any safer, but proper SSL implementations can help protect your web applications. Tune in next month for server protocol and cipher configuration best practices to help you create a well-rounded SSL implementation. Did you miss part one? Read SSL Configuration Best Practices Part 1: SSL Secure Server Design.