SSL/TLS Best Practices

TLS

  • Ciphersuite negotiation
  • Master Secret generation (FS) 

 

  • Authentication
  • Confidentiality
  • Integrity

Versions

  • SSL 2.0 (MD5, MITM Downgrade)
  • SSL 3.0 (POODLE)
  • TLS 1.0 (BEAST)
  • TLS 1.1 (CRIME, BREACH)
  • TLS 1.2

Ciphersuite

  • TLS_RSA_WITH_AES_128_CBC_SHA
    • RSA - Key negotiation
    • AES128 CBC - symmetric cipher
    • SHA1 - HMAC

IIS

  • Defaults not optimal (SSLLabs)
  • Changed via registry keys
  • 3rd party tools (IISCrypto)

HSTS

  • Always use HTTPS
  • Server redirects (first request)
  • Headers and Preloaded lists

HTTP/2

  • Requires TLS 1.2 No Compression
  • Opportunistic encryption
  • All implementations so far over TLS
Made with Slides.com