Difference between revisions of "TLS"

From Freephile Wiki
Jump to navigation Jump to search
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Transport Layer Security ==
+
This page is mainly about adding TLS (also commonly referred to by it's predecessor 'SSL') for your web servers such as [[Apache]] or [[nginx]].
This page is mainly about adding '''Transport Layer Security''' TLS (also commonly referred to by it's predecessor 'Secure Sockets Layer or SSL') for your web servers such as [[Apache]] or [[nginx]].
 
  
 
If you have a website or other online resources, you should be running them on a '''Secure''' webserver.  If you need help, call {{CompanyName}}.  We can secure your site very quickly and very cost-effectively, using the highest grade security measures.
 
If you have a website or other online resources, you should be running them on a '''Secure''' webserver.  If you need help, call {{CompanyName}}.  We can secure your site very quickly and very cost-effectively, using the highest grade security measures.
Line 7: Line 6:
 
Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
 
Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
  
=== Checking Ciphers ===
+
== Upgraded Security ==
You can use nmap to port scan a host (Do NOT do this on hosts you don't control... it's like poking a hornets nest, you're not sure what's going to happen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your host.  The description below is from <code>/usr/share/nmap/scripts/ssl-enum-ciphers.nse</code>)
+
We used to run certificates from StartSSL because they offer free one-year certificates. However, today we upgraded to using 'LetsEncrypt' and our certificates are both more secure and easier to manage. Instead of a "B" grade, we now have "A" grade security.
 
+
[[File:AGrade.png|left|500px]] [[File:BGrade.png|right|500px]]
This script repeatedly initiates SSL/TLS connections, each time trying a new
 
cipher or compressor while recording whether a host accepts or rejects it. The
 
end result is a list of all the ciphers and compressors that a server accepts.
 
 
 
Each cipher is shown with a strength rating: one of <code>strong</code>,
 
<code>weak</code>, or <code>unknown strength</code>. The output line
 
beginning with <code>Least strength</code> shows the strength of the
 
weakest cipher offered. If you are auditing for weak ciphers, you would
 
want to look more closely at any port where <code>Least strength</code>
 
is not <code>strong</code>. The cipher strength database is in the file
 
<code>nselib/data/ssl-ciphers</code>, or you can use a different file
 
through the script argument
 
<code>ssl-enum-ciphers.rankedcipherlist</code>.
 
 
 
SSLv3/TLSv1 requires more effort to determine which ciphers and compression
 
methods a server supports than SSLv2. A client lists the ciphers and compressors
 
that it is capable of supporting, and the server will respond with a single
 
cipher and compressor chosen, or a rejection notice.
 
 
 
This script is intrusive since it must initiate many connections to a server,
 
and therefore is quite noisy.
 
 
 
<source lang="bash">
 
nmap --script +ssl-enum-ciphers example.com
 
</source>
 
 
 
Using [[Certbot]], you can manage your certificates.
 
  
 
== Resources ==
 
== Resources ==
 
# [[wp:Transport Layer Security|Transport Layer Security]]
 
# [[wp:Transport Layer Security|Transport Layer Security]]
 +
# https://letsencrypt.org/getinvolved/
 
# https://wiki.mozilla.org/Security/Server_Side_TLS
 
# https://wiki.mozilla.org/Security/Server_Side_TLS
 
# https://security.stackexchange.com/
 
# https://security.stackexchange.com/
 
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
 
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
 
# [https://tls.ulfheim.net/ TLS illustrated]
 
  
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:System Administration]]
 
[[Category:System Administration]]

Revision as of 15:38, 23 April 2016

This page is mainly about adding TLS (also commonly referred to by it's predecessor 'SSL') for your web servers such as Apache or nginx.

If you have a website or other online resources, you should be running them on a Secure webserver. If you need help, call eQuality Technology. We can secure your site very quickly and very cost-effectively, using the highest grade security measures.

Security Check[edit | edit source]

Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)

Upgraded Security[edit | edit source]

We used to run certificates from StartSSL because they offer free one-year certificates. However, today we upgraded to using 'LetsEncrypt' and our certificates are both more secure and easier to manage. Instead of a "B" grade, we now have "A" grade security.

AGrade.png
BGrade.png

Resources[edit | edit source]

  1. Transport Layer Security
  2. https://letsencrypt.org/getinvolved/
  3. https://wiki.mozilla.org/Security/Server_Side_TLS
  4. https://security.stackexchange.com/
  5. Apache docs