I’ve blogged before about the importance of making sure you’re serving your content over HTTPS. Not only is Chrome now marketing sites not served over HTTPS as “non secure” in the browser, they are giving increased weight to HTTPS sites in search results. It’s never been easier to serve your sites securely, but the actual secure certificate is only part of the equation here. We need to talk about protocols like SSL and TLS as well.
Server software like Apache and Nginx would previously serve secure content over the SSL (secure sockets layer) protocol. This is the case for the web as well as email. SSL was succeeded by TLS (transport layer security). The problem is that the various SSL protocols have been found to be insecure. A few years ago SSL 3.0 was found to be attackable thanks to the POODLE attack. At this point, it’s best to have moved your servers off SSL and been using the TLS protocols.
Run Some Tests!
If that’s greek to you (and most of it is to me as well), don’t worry. If you have server or IT admins that take care of your servers, chances are they’re on it and have been on TLS for several years now.
You can use Qualys’ SSL Server Test site to what protocols your server is using and make sure you’re up to do date with everything. You can see my report here. I use Let’s Encrypt for my certificate. Take a second and check out that A+. Feels good.
The SSL Server Test will also tell you what TLS and SSL protocols you’re running. You shouldn’t be running any SSL ones, because you will see the test dock you very heavily. Here’s an example:
You should be serving your website content over TLS 1.2 at this point. Why? Here’s more detail from GlobalSign:
As a best practice, you should configure your servers to support the latest protocol versions to ensure you are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave you vulnerable to downgrade attacks, where hackers force connections to your server to use older versions of the protocols that have known exploits. This can leave your encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.
Earlier this summer, TLS 1.3 was ratified and released. If you are able to upgrade to it, you should. If you don’t want to run a full SSL test, you can run just a check of what TLS protocols you are serving. Here’s a TLS Test from CDN77. Here’s my results below. This site is coming to you over TLS 1.3. Again, feels good!