Following flaws to find solutions: SSL tools that make sites more secure

The SSL paradox

Editor’s note: This article was originally published on December 8, 2014. It was updated on July 27, 2018.

If you follow what’s happening in computer technology, you probably know about SSL, the network security protocol that protects data as it travels across the Internet. SSL is often in the news because we keep finding problems with it. It might seem like a bad thing but, paradoxically, it’s not; that means that we’re paying attention and making things better. It also means we need to provide developers with better SSL tools and resources to help them implement and debug SSL issues.

My own involvement with SSL goes back to about 2008. At that time I had been using SSL for more than a decade, but largely without looking under the hood to understand how this technology really functions. When I did, I found it very surprising that SSL is difficult to use correctly, poorly documented, and that there aren’t any good tools to help you with the job. And that’s how SSL Labs — a research effort to understand the practical side of SSL/TLS and PKI — was born. Our aim is to provide tools and documentation to encourage the correct and secure use of these technologies.

You’re charged with building sites that protect your assets as well as your users’ data — but deploying SSL correctly is more difficult than ever.

We’re still learning how to properly secure computer networks, but we’re making progress. As a website developer, however, you need to know more than the average Joe. You’re charged with building sites that protect your assets as well as your users’ data — but deploying SSL correctly is more difficult than ever. While the technology itself is relatively simply to implement, the entire ecosystem includes many features and options; to ensure security, you need to make all the correct choices, often in the correct order.

Back to basics

Let’s go back to the beginning. The three technologies that you need to be aware of are called SSL, TLS, and PKI. The first two are actually different names for the same thing; they are protocols for encrypted communication, with SSL being the older version of TLS. Today, we use both names interchangeably in general discussion. PKI is a complementary technology that enables us to securely connect to arbitrary websites, knowing only their domain names.

This is possible because our browsers trust third parties called certification authorities (CAs) to issue digital certificates that are used for identity verification. Every time we connect to a site, our browsers check these certificates to ensure we’re in the right place and that our communication is not being intercepted.

Thus, on a high level, things are rather simple: to establish secure presence on the Internet you need to perform only two steps:

  1. Obtain a certificate from a CA.
  2. Configure an SSL server with that certificate.

Obtaining an SSL certificate is relatively straightforward in most situations and there are a variety of CAs, including GoDaddy, to choose from. The process consists largely of proving legitimate access to a domain name and paying a fee for the certificate.

The second step is the tricky one. Taking the certificate and configuring a secure server with it is fraught with traps. Below I reference several existing SSL tools and resources, each approaching the problem at a different level of abstraction.

Certificate Checker

This SSL tool will check if your website is properly secured by an SSL certificate, including the IP it resolves to, the validity date of the SSL certificate securing it, the CA the SSL certificate was issued by, the subject information in the certificate, and determine if the chain of trust has been established.

CSR Decoder

This SSL tool will decode a CSR and display the contents in a human-readable format. The formatting of the CSR will be checked. If any issues are found, a properly formatted CSR will be generated for you.

Certificate Decoder

This SSL tool will decode a PEM/DER encoded SSL certificate and display the contents in a human-readable format. The formatting of the certificate will be checked.

The SSL Server Test

The SSL Labs flagship tool is the server test, which you can point at any public website. This test gives you a comprehensive analysis of the site’s configuration. It will tell you if a site is securely configured and, perhaps more importantly, whether it will work correctly with the major browsers and devices. I built this tool for myself and it’s always my first recommendation to anyone interested in website encryption. Use it to test your site now and you’ll know exactly where you stand.

The SSL Labs server test can only check public sites. If you want to check your private infrastructure, I recommend a tool called SSLyze, which is used from the command line.

The SSL/TLS Deployment Best Practices guide

To accompany the test, SSL/TLS Deployment Best Practices is a concise document that still provides a comprehensive (albeit high-level) view of all the work that needs to be done to secure a website. At under 20 pages, the main goal of this document is to give you a good understanding of the problems you’ll be facing, without overwhelming you with details.

Mozilla’s Server Side TLS Guide

If you’re looking for more in-depth technical recommendations, one place you can turn to is Mozilla’s Server Side TLS guide, which makes a great addition to the SSL tools provided above. This document gives several cipher suite recommendations with different trade-offs of security versus interoperability, but also many configuration examples for popular server applications.

Applied Crypto Hardening from Better Crypto

If it’s detailed configuration examples that you’re after, also consider Applied Crypto Hardening from the Better Crypto website. This document is still in draft, but contains a lot of information that you might find useful.

The OpenSSL Cookbook

The OpenSSL Cookbook is a guide which, at about 60 pages, looks at OpenSSL in depth. OpenSSL is the tool anyone deploying encryption will have to use, unless you’re on Windows.

The Bulletproof SSL and TLS book

Finally, if you need to go even deeper, you can turn to Bulletproof SSL and TLS, my book that contains everything you need to know to securely use SSL on a variety of platforms, including Apache, Java, Nginx, OpenSSL, and Windows. This book, which is a culmination of my many years of research of this topic, includes all the theory and practice you need to understand the technologies, understand the threats, and deploy SSL securely and with optimal performance.

Learn about the four types of SSL certificates available.

Wildcard SSL Certificate
Extended Validation SSL Certificate
SAN SSL Certificate
Organization Validation SSL Certificate

Image by: Cyberslayer via Compfight cc

Ivan Ristic
Ivan Ristic is a security researcher, engineer and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools, and guides published on the SSL Labs website.