SSL/TLS — security best practices for 2014

April 2014. The Heartbleed bug shook the entire internet. A two-year-old vulnerability in OpenSSL allowed attackers to read server memory — including private keys and session tokens. If that did not wake you up to review your SSL/TLS configuration, nothing will.

The state of SSL/TLS in 2014¶

Let’s look at reality: the majority of Czech websites still run on HTTP. Those that do have HTTPS often use outdated protocols and weak cipher suites. SSL 3.0 is still enabled. RC4 is the “recommended” alternative to the BEAST attack. And self-signed certificates in internal systems are the norm.

This must change. Heartbleed was a wake-up call. But the problem runs deeper — poor TLS configuration is ubiquitous, and most administrators settle for the default settings, which are often riddled with holes.

Step 1: Disable SSL 3.0 and older¶

SSL 2.0 has been dead for years. SSL 3.0 should be too — it is vulnerable to the POODLE attack (which will arrive in October 2014, but smart admins will disable it now). The minimum protocol should be TLS 1.0, ideally TLS 1.2 for modern clients.

# Nginx — recommended TLS configuration 2014
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK';

# DH parameters — generate your own!
ssl_dhparam /etc/nginx/dhparam.pem;  # openssl dhparam -out dhparam.pem 2048

Step 2: Cipher suites — order matters¶

The correct order of cipher suites is critical. The server should prefer:

• ECDHE cipher suites — provide Forward Secrecy (PFS). Even if an attacker obtains the private key, they cannot decrypt past communication.
• AES-GCM — authenticated encryption, fast on modern hardware with AES-NI instructions
• SHA-256+ — SHA-1 is on its way out; Chrome will start marking it as insecure

What to disable: RC4 (bias attacks), MD5 (collisions), EXPORT ciphers (40-bit, a remnant from the 1990s), NULL ciphers (no encryption), and DES/3DES (slow, weak).

Step 3: HSTS — enforce HTTPS¶

HTTP Strict Transport Security tells the browser: “Never connect to this website over HTTP.” A simple header, a dramatic impact on security. Eliminates SSL stripping attacks.

# HSTS header — Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Note: HSTS is a one-way door. Once you enable it with a long max-age, browsers will reject HTTP for the duration of validity. Start with a short max-age (3600) and gradually increase it.

Step 4: Certificates — do it properly¶

After Heartbleed, all certificates and private keys must be regenerated. Not just renewed — a new key pair. The old one may have been compromised.

• RSA 2048-bit minimum — 1024-bit is inadequate; NIST has recommended 2048+ since 2014
• SHA-256 signature — SHA-1 certificates will be penalised by browsers from 2015
• Full chain — serve intermediate certificates, not just the leaf
• OCSP Stapling — the server itself verifies certificate validity; faster than CRL

# OCSP Stapling — Nginx
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Step 5: Test, test, test¶

Configuration without testing is worthless. Use these tools:

• SSL Labs Server Test (ssllabs.com) — aim for an A+ rating
• testssl.sh — offline testing from the command line
• nmap –script ssl-enum-ciphers — quick cipher suite audit
• openssl s_client — manual TLS handshake debugging

Our internal rule: no server goes to production without an SSL Labs rating of A. After Heartbleed we audited all 47 production servers. 31 of them had a rating of B or worse. Within two weeks all of them were at A.

Forward Secrecy — why it matters¶

Perfect Forward Secrecy (PFS) ensures that compromising the private key does not expose historical communication. Each session uses a unique ephemeral key. This is especially critical after Heartbleed — if the NSA or anyone else captured encrypted traffic and later obtained the key, without PFS they can decrypt everything retroactively.

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is today’s preferred method. It is faster than DHE and provides the same level of security with shorter keys. Make sure your cipher suites start with ECDHE.

Common mistakes we see¶

When auditing SSL/TLS configurations at Czech companies, we repeatedly encounter the same problems:

• Default DH parameters (1024-bit) — generate your own 2048-bit
• Mixed content — an HTTPS page loading HTTP resources; the browser shows a warning
• Missing redirect HTTP → HTTPS — the user accesses via HTTP and stays there
• Wildcard certificate on publicly accessible subdomains — compromise one = compromise all
• Internal systems without TLS — “it’s behind the firewall” (it’s not)

SSL/TLS is not optional¶

Heartbleed was a warning. POODLE is coming in a few months. And Google just announced that HTTPS will be a ranking signal. Proper TLS configuration is not a luxury — it is a foundation. Go through this checklist, test your servers, and fix what needs fixing. Today, not tomorrow.