Are you using modern TLS?

Vector Vectors by Vecteezy

Almost two years ago, in March 2020 the support for TLSv1.1 has been deprecated.

You may ask: is my website using the most secure encryption? Is my server protected against malicious users?

Check server connection security

Verify your website against SSL vulnerabilities here: https://www.ssllabs.com/ssltest/ Remember to mark the checkbox: Do not show the results on the boards.

Aren’t your scan results green, are they? Proceed on with reading if so.

Understand the issue

With enough effort and time, you can break into every vault. We may safeguard valuable data only by preventing access to it.

Establishing connection from client to the web server relies on agreement between machines. They decide how to transfer data that’s understandable for both of them.

Various hardware and software vendors adopt modern security standards at their own pace. Permissive configurations can handle more clients, but at risk of the overall security. That’s the price of backward compatibility.

For SSL vulnerabilities, the attacker is trying to downgrade connection security version. Communication with lower-quality mode is an open door for security breaches.

When you allow the server to use older SSL/TLS versions, you’re introducing possible vulnerabilities to be exploited. Only TLSv1.3 is immune to POODLE and LOGJAM attacks, but not all clients support TLSv1.3. If you care about customers with older browsers and devices, stick with version 1.2 using strong ciphering (at least 768 or 1024, depending on the algorithm).

Enforce minimal version in Nginx

In the listen section of Nginx config, replace ssl_protocols line with:

ssl_protocols TLSv1.2 TLSv1.3;

That should be enough to mitigate most issues related to older SSL/TLS versions.

If your website is behind a firewall, e.g. Cloudflare, AWS WAF, there is a simple switch that lets you apply the desired TLS version. Just refer to the relevant documentation.

Be happy

The most recent versions of TLS improve both security and performance of your website. Elliptic curve algorithms available for TLSv1.2 are much faster than RSA. Optimizations reduce the amount of resources spent by the server on encryption. This decreases website response latency, resulting in better user experience.

Further reading

If you want to learn more about SSL/TLS vulnerabilities, check out this article.

Originally published at https://lucidmodules.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store