SSL encryption is vital when sending sensitive information over the internet from browser to server, but just how secure are your sites? I used to naively believe that all I had to do was whack a certificate on the web-server and all would be well. However, a friend of mine recently had one of their web-sites audited (I won’t name the site for obvious reasons!) and found more holes in their security defenses than a block of Swiss cheese.
As well as the certificate, here are some other things you need to take care of:
- Protocols (SSL, TLS, PCT and their various version numbers)
- Ciphers (DES, AES, etc…)
- Hashes (SHA x, MD5, etc…)
- Which key exchanges are enabled
- The order that SSL ciphers are used
Fortunately, help is at hand using these two great tools:
You can use the Qualys SSL Labs SSL Server Test to find out how secure your site is. Just enter your URL in the box and they’ll give you a full report on how secure the SSL for your site is.
If there are issues the IIS Crypto tool from Nartac Software will help you make the right remedial registry changes without having to tinker around in their yourself, thus vastly reducing the possibility you’ll trash your server.
Clever stuff!