== Transport Layer Security ==This page is mainly about adding '''Transport Layer Security''' TLS (also commonly referred to by it's predecessor 'Secure Sockets Layer or SSL') for your web servers such as [[Apache]] or [[nginx]].
If you have a website or other online resources, you should be running them on a '''Secure''' webserver. If you need help, call {{CompanyName}}. We can secure your site very quickly and very cost-effectively, using the highest grade security measures.
Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
== Upgraded Security = Checking Ciphers ===We used You can use nmap to run certificates port scan a host (Do NOT do this on hosts you don't control... it's like poking a hornets nest, you're not sure what's going to happen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your host. The description below is from StartSSL because they offer free one<code>/usr/share/nmap/scripts/ssl-enum-year certificatesciphers. Howevernse</code>) This script repeatedly initiates SSL/TLS connections, today we upgraded to using 'LetsEncrypt' each time trying a newcipher or compressor while recording whether a host accepts or rejects it. Theend result is a list of all the ciphers and our certificates compressors that a server accepts. Each cipher is shown with a strength rating: one of <code>strong</code>,<code>weak</code>, or <code>unknown strength</code>. The output linebeginning with <code>Least strength</code> shows the strength of theweakest cipher offered. If you are both auditing for weak ciphers, you wouldwant to look more secure closely at any port where <code>Least strength</code>is not <code>strong</code>. The cipher strength database is in the file<code>nselib/data/ssl-ciphers</code>, or you can use a different filethrough the script argument<code>ssl-enum-ciphers.rankedcipherlist</code>. SSLv3/TLSv1 requires more effort to determine which ciphers and easier to managecompressionmethods a server supports than SSLv2. Instead A client lists the ciphers and compressorsthat it is capable of supporting, and the server will respond with a singlecipher and compressor chosen, or a "B" graderejection notice. This script is intrusive since it must initiate many connections to a server, we now have and therefore is quite noisy. <source lang="Abash" grade security>nmap --script +ssl-enum-ciphers example.com</source> Using [[File:AGrade.png|left|500pxCertbot]] [[File:BGrade, you can manage your certificates.png|right|500px]]
== Resources ==
# [[wp:Transport Layer Security|Transport Layer Security]]
# https://letsencrypt.org/getinvolved/
# https://wiki.mozilla.org/Security/Server_Side_TLS
# https://security.stackexchange.com/
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
# [https://tls.ulfheim.net/ TLS illustrated]
[[Category:Security]]
[[Category:System Administration]]