01 Preface
Thank you for your attention to the previous article " Developing SSL Online Tools Step by Step ". I found that in addition to work, writing code, and sharing content on the Nuggets is also a very happy thing. This article combines some of the functions of SSLeye written by myself. Let me talk about my simple views on SSL security, the big guy detours, don't spray ^-^
At present, https in the Internet is generally one-way SSL authentication, and there are also two-way authentication; what is one-way and two-way authentication, without redundant explanation, please do it yourself~ This article mainly explains its SSL from the process of building an https website. Security, the main points include:
(1), certificate application
(2), server SSL configuration
(3), SSL link detection
(4) Vulnerabilities and upgrades
02 Certificate Application
At present, there are many brands of digital certificates on the market, and there are also many companies selling direct and agency certificates in China. As for which company and brand of certificate to choose, the main consideration is the compatibility of the certificate client (app, browser) and after-sales service. , Anyway, I personally think the certificate is a bit expensive, I can't afford it *-*, and now the SSL online tool (www.ssleye.com) does not enable Https, and tears run...
The application for the certificate mainly includes:
(1) Submit the generated certificate request file (CSR) to the certificate company
(2) The certificate company signs the CSR to generate a signature certificate
(3) The certificate company feeds back the generated certificate chain (client certificate, intermediate certificate, root certificate) to the customer
Safety requirements:
1. The user should generate the certificate request file (CSR) by himself, because the private key is also generated when the certificate request file is generated; the user saves the private key and only provides the certificate request file to the certificate company. It is impossible to give the certificate request file and private key to others, I am afraid~~
2. When selecting the encryption algorithm, encryption strength and signature algorithm when generating the certificate request file; for example, the RSA algorithm, the encryption strength should be >=2048, and the signature algorithm>=SHA1. It is not recommended to use insecure algorithms and signature algorithms, such as RSA1024, MD5, etc.
3. It is recommended to encrypt the private key when generating the CSR to ensure the security of the private key.
Then submit the generated certificate request file (CSR) to the certificate company.
Tips: The synthesis sequence of certificates is: user certificate, intermediate certificate, root certificate, edit and save in order through the file editor.
03 Server SSL configuration
Server SSL configuration mainly emphasizes that when configuring SSL, you should avoid using insecure protocols and cipher suites, and whether to enable other related enhanced security features.
Safety requirements:
(1) The SSL protocol should use at least TLS1.0 and above. For the compatibility reasons of old browsers, SSL3.0 should be properly enabled, and SSL2.0 should not be used.
(2) Avoid using insecure encryption suites, including: NULL, anonymous, EXPORT, RC4, MD5, PSK, ADH.
(3) The encryption strength selected in the encryption suite should be >=128bits.
(4) Higher-level security requirements, such as supporting ATS standards, HSTS, CAA, preventing downgrade attacks, forward secrecy, etc.
Small tip: the 3DES algorithm also seems to be flagged as a weak encryption algorithm by ssllabs.
04 SSL link detection
After the server SSL configuration is complete, you can use SSL-related detection tools to check the configuration to check whether insecure SSL protocols and encryption suites are used.
SSLeye- protocol and suite module, which can detect the SSL protocol and encryption suite supported by the server, such as the detection nuggets as follows:
Tips: SSLeye currently does not support the detection of TLS1.3 protocol, please upgrade later...
04 Vulnerabilities and upgrades
There are many reasons for SSL vulnerabilities, of which insecure protocols and cipher suites account for a large part. Therefore, before the HTTPS website goes online, the common vulnerabilities of SSL should be scanned, and if any vulnerabilities are found, they should be repaired in time.
Website administrators should pay attention to SSL security information every day, discover SSL 0day vulnerabilities in time and quickly fix them, upgrade the OpenSSL version, PS, I don't know how many people are upgrading Openssl late at night with "heartbleed" vulnerabilities.
At present, SSLcve supports 9 kinds of SSL vulnerability detection, and will further downgrade attack detection and ROBOT vulnerability in the future.
Tips: ssllabs is the originator of SSL testing website, recommended ^-^, PS: SSLeye is not plagiarism~~~
05 Follow-up
I don’t know what to write in the follow-up, welcome comments from friends who have ideas...