SSL Improvements – Achieving Grade A+ with SSL Labs

ssl-labs-aplus

Following last week’s announcement that HTTPS websites will have a chance to rank better on Google; Pixeno has implemented Grade A+ SSL support for all our customers wishing to use SSL certificates on their hosting.

To demonstrate, one our new customers “Printed with Love” have kindly allowed us to show off their brand new Grade A+ SSL certificate in action here:

https://www.ssllabs.com/ssltest/analyze.html?d=printedwithlove.co.uk

We’re always looking for new ways to improve our service for our customers, so here’s how we did it:

HTTP Strict Transport Security

Using HTTP Strict Transport Security, this is a new security feature available in all modern versions of Chrome, Firefox and Safari web browsers, and is being introduced into IE12 also. It allows the server to inform the web browser that SSL is available for this website, and instructs the browser to use it for all pages and on-site resources (it will change links in the source code to https automatically). This allows the user to have their entire web browsing session from start to finish on the website to be encrypted under https.

This is an important step to help improve the security of the web, as if the website has an issue with their SSL certificate (e.g. a self signed one) or the identify of the website cannot be verified then it won’t allow the visitor to load the website at all, and will show an error/warning message instead. This protects the website visitors, and helps them guarantee the data will be encrypted for their session between the server and their web browser.

Forward Secrecy

Using Forward Secrecy, with the recent Heart-bleed bug announcement (which we patched network wide within a few hours for all our customers), the “key exchange” in the initial connection to https website, has left vulnerable keys allowing users to decrypt past session data. Forward Secrecy offers a different key exchange with the addition of a “secret key” that only the server and web browser in that particular session know and is required to decrypt session data.

This is done in a way that would protect the previous session data whether the private key has been compromised or not (as you also need the “secret key”); effectively offering an additional layer of security against private key decryption.Forward Secrecy helps keep the eavesdropping, NSA and other agencies from snooping in on the data communicated between the client and server.

Unfortunately, most HTTPS websites still don’t support forward secrecy, which means that a large chunk of your past communications with those servers is vulnerable to decryption when private SSL keys are compromised. Here at Pixeno, every customer with an SSL certificate will have robust Forward Secrecy support going forwards.

TLS 1.2 & 2048bit Private Keys

Using TLS 1.2 and 2048bit Private Keys, some websites still use the old SSL protocols such as SSLv2, SSLv3, TLS1.0 and TLS1.1 which leaves them at potential risk despite being under encryption. We have fully support for the TLS1.2 protocol for the modern browsers which support it (which includes IE11 and modern versions of Chrome, Firefox and Safari).

Also websites using the 1024bit RSA Keys are at risk for a keen hacker, although it’s not straightforward or easily – at expert hacker could given time recode the 1024bit RSA Private keys used for a websites SSL communicates, at Pixeno we use RSA 2048 bits Keys by default – which are 10,000 harder to crack and recode, making it not worthwhile for most even determined hackers to even attempt.

Vulnerabilities Patches

Patch against the Heartbleed and CVE-2014-0224 vulnerabilities, an estimated 49% of websites are vulnerable to the CVE-2014-0224 security flaw and an additional 14% of websites are exploitable to the CVE-2014-0224 security flaw as reported by SSL labs here. For websites that are not patched against these publicly known vulnerabilities and exploits:

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. As you can see this, using an outdated version of the OpenSSL software can leave serious flaws in the security of your https connection. Here at Pixeno, we always ensure we keep up to date with the latest versions of the OpenSSL software – so that when new flaws are discovered, we can patch against them within a matter of hours network-wide.

Upgrade to HTTPS

For customers wishing to upgrade to https on their websites, Pixeno offer a basic RapidSSL certificate from as little as £19.95/year* which includes the setup, configuration and installation on your website, covering www and non-www URL’s. So with the added bonus of being able to rank better on Google, and encrypt your website communications with grade A+ SSL security – we think it’s an upgrade serious worth considering for any website owner who wants to be on top of their game.

For customers who want even more security and trust when it comes to their SSL certificates, we offer True Business ID with Extended Validation certificates (like the one on https://pixeno.com). They show the verified business name in the web browser address bar and also the trusted green bar / box along the top (browser dependent). Pixeno sell these for £149/year* or for 2 years at £249*, the prices includes the validation process (see here), setup, configuration and installation.

* Prices excluded 20% VAT for UK/EU customers

  • James

    1. https://www.ssllabs.com/ssltest/analyze.html?d=printedwithlove.co.uk now scores an A instead of an A+ due to the HSTS max-age setting (15768000 = 6 months) that isn’t considered long enough by SSL Labs. You’ll need to set it to 31536000 (= 1 year) to get an A+.

    2. The current choice/ ordering of cipher suites for https://www.ssllabs.com/ssltest/analyze.html?d=pixeno.com results in an “obsolete cryptography” indicator in Chrome. Consider moving TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to be above TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. Google considers CBC suites to be obsolete cryptography and does not support TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 which means you’ll need to squeeze TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 between the two.