A lot of us will be heading off on summer holidays soon - getting ready to sip a Pina Colada on a beach and catch up on some reading - but the holiday season system lockdowns will be here before you know it.
In order to help you prepare early this year, I have put together a security checklist that you can go over before you leave on your summer holiday. I have also put together a list of some of the latest changes being made by browsers, some of the trends published in the latest Netcraft report and some of the latest vulnerabilities to your security.
Summer Tune-Up SSL/TLS Checklist
- Check for certificates getting ready to expire.
- Check all ciphers, server configurations and certificate hashing algorithms are up-to-date and secure. Use our SSL Server checking tool.
- Make sure all staff you are leaving behind have a clear incident response and training.
- Make sure you are aware of any vulnerabilities in your network and have a roadmap for IT to remove these as soon as possible.
The Cost of Expired Certificates
The first, and probably most common thing people forget before going away for long periods, is checking that their TLS Certificates are not up for renewal. If you're not using APIs or other automated certificate provisioning system, TLS Certificates will not renew automatically. They have a set expiry date and if you are not available to renew the certificate then website visitors will not be able to access the secured pages on your site.
Because this is common occurrence I just wanted to remind readers of the ramifications of an expired certificate, which results in users being unable to connect securely to your site.
When users cannot connect securely to your site, there will be:
- A reduction in trust as the site becomes insecure.
- A decline in sales and revenue with increased shopping basket abandonments.
- An adverse risk to business corporate brand and reputation.
SHA-1 Upgrades
If you haven't already, now is the time to upgrade your certificate to the SHA-256 hashing algorithm. CAs are no longer permitted to issue SHA-1 TLS certificates, so when you renew you will be forced to SHA-2. It's better to plan ahead in case there are some legacy applications connecting to that server that don't support SHA-2 certificates, so you have some time to resolve that prior to the SHA-1 certificate expiring. For more details check out our support article - SHA-256 compatibility.
Browsers have been continuing to degrade the user experience (UX) when a site uses a SHA-1 certificate. This includes showing a red X through the lock to showing no lock at all, and if the SHA-1 certificate expires in 2017+, you will be prompted to click through warning pages prior to accessing the site. These UX changes are continually being updated and added to more browser versions (e.g. Microsoft is planning to institute SHA-1 UX degradation for Edge and IE11 in July), so we recommend you upgrade to SHA-2 now to avoid losing traffic to your site.
OCSP Stapling
You can improve your visitor experience by implementing OCSP stapling. Most web servers support this. It enables the server to provide the OCSP response to the browser within the TLS session instead of the browser requesting it from the CA's OCSP server. Eliminating the extra step of querying the server helps speed up TLS negotiation, which can help with site performance.
Keeping Your Server Configurations Up-To-Date
Now that you are prepared for your summer getaway, it's worth also keeping up-to-date with the latest announcements. These trends aren't going to interrupt your holiday, but you might benefit from keeping an eye out and making sure your IT team are aware of these in case adjustments to server configurations need to be made.
You can check server configurations using our SSL Server Test Tool.
OpenSSL vulnerabilities
OpenSSL continues to be vulnerable to new attacks including the recent padding oracle attack and a memory corruption vulnerability in the ASN.1 encoder. While Netcraft's June 2016 Highlights suggest that the latter vulnerability is "only exploitable in a limited number of circumstances", the padding oracle attack is widely exploitable. If you don't have a streamlined process for patching OpenSSL, now is the time so that you can keep it up to date and quickly react to future vulnerabilities.
Google drops support for SPDY and NPN
Google is always updating its platform in order to promote a safe internet. A couple of recent updates are worth taking note of:
- SPDY is a networking protocol which manipulates HTTP traffic in order to reduce web load latency and improve web security. With the adoption of HTTP/2, Google has dropped support for SPDY.
- NPN was the TLS extension that negotiated SPDY in HTTP/2. NPN was replaced with ALPN in July 2014 but is being fully depreciated along with SPDY.
If you don't make these updates then your users may experience slower page load times.
Google disables support for SSLv3 and RC4
This one doesn't need me to say much more. Both of these ciphers are out of date and should be removed from your server configuration. Look out for anything that might still be using these ciphers such as systems using SMTP relay and third-party emailers and be sure to update those before changing your server configuration. You can do this using the SSL Server Test.
Other things to look out for
While not as important for someone going away on vacation, you should also keep up to date on latest news. Here's the top things spoken about in the CA/B Forum Meeting on June 9th 2016.
- A new UI refresh is scheduled for Chrome 52-53. This is going to harmonize with other Google properties and will change how the padlock will display.
- Chrome Keygen, which has been disabled by default since Chrome 49, will fully disappear soon.
- Microsoft is introducing two new properties to help resolve root removal issues for Windows 10 and higher operating systems:
- Disallow Date – When a date is set for this for a specific root, all new Authenticode signed objects will fail, and all signed objects with timestamps prior to this will continue to work.
- Disallow EKU – When this is set for a root, none of the EKUs identified in this list will be trusted. For example, if this is set for ServerAuth, then none of the SSL certificates will be trusted.
- Mozilla Root Removals: Roots now all tracked in Salesforce and public data. Everyone should be able to find them themselves.
- Google Chrome recently announced its EV Certificate Transparency Policy is now going to apply to all certificate types. While EV Certificates that do not follow the recommendations will not have a green bar shown in the browser, we're not quite sure how they will show non-compliance with other types of certificates.
In summary, take some time now to set your plans for the fall and holiday season and enjoy a safe, secure holiday season along with a less hectic fall. Finally, if you have any questions about this post, feel free to use the comments below and I will try and get back to you as soon as possible.
