How to Get an A+ Security SSL Rating Fast

June 13, 2014
Kevin Lam

ironboxssltestQualys has a great SSL testing tool that lets website owners test their sites to see how well they’ve configured SSL on their servers. Unfortunately, the bad guys are also using this tool too to see if you’re low-hanging fruit. Customers also use this to get an initial idea of how serious you about security. Here’s a short checklist of the key things we did with our servers to help us get an A+ rating so you can get one too, and fast.

Disable Weak Algorithms

SSL uses various encryption algorithms to provide security and privacy. Unfortunately, there are some algorithms you should not be using along side SSL either because they’ve been broken or are no longer sufficient by today’s standards.  They are:

  • PCT 1.0
  • SSL 2.0
  • Any ciphers that rely on MD5
  • Weak RC2 or RC4 cipher and modes

On the flip side, there are algorithms you should be enabling like:

  • TLS 1.1
  • TLS 1.2

If you’re using Windows server, contact us and I’ll send you a package of Windows registry scripts that we use in our own deployments that will make this configuration stupid-easy (literally, double-click and you’re done).

Use a 2048-bit Public Key

Before 2011, NIST OK’d the use of public keys of 1024-bit.  After 2011 they indicated that this would no longer be sufficient and organizations need to move to 2048-bit.  If you have an old SSL certificate, you may still be using a 1024-bit public key.  Easy fix and it won’t cost much either. Just re-issue yourself a new SSL certificate at 2048-bit, but it’s important that you do this.

Enable Forward Secrecy

SSL certificates have a private and public key which is used to protect keys that are generated when establishing an SSL tunnel.  An attacker could record encrypted  SSL traffic and if they were ever able to attain this private key, they could decrypt those past communications.  You can configure SSL so that it implements something called Forward Secrecy which would protect those past communications, even if the private key was compromised.

Setting this up will depend on what web server platform you use, but here’s a great write up I found.

Enable HTTP Strict Transport Security (HSTS)

The last thing you should consider configuring is HTTP Strict Transport Security (HSTS).  With this feature, Web servers tell compliant browsers to only interact using a secure SSL protected connection and specifies a period time with which to do so.  It’s really easy to implement and you get a lot of security benefits by doing so.  Not to mention the Qualys SSL test tool will love you even more when you do.  Here’s the Wikipedia article on HSTS, but you can skip right to the middle-bottom and find out how to implement it on your web server. We did ours in a few mouse clicks, but feel free to ping us if you want some help.

Alright, that’s it for this week.  Good luck on getting your A+ rating on Qualys!

 

Kevin Lam signature

–Kevin

Co-Founder, IronBox

References