GlobalSign teaches you how to deploy SSL certificates more securely

Many people often tell me that SSL deployment is becoming easier and easier now, in most cases, you can deploy an SSL certificate on various servers by using a search engine or by reading blogs written by some technical staff. Although SSL and HTTPS have been used to encrypt websites in various industries for a long time, they are still not just simple to install. There are still some problems behind the certificate: using a new, more secure cipher suite, whether or not the site content contains insecure content, etc. Through in-depth discussions on these issues, the deployment of SSL on the server is not that simple.

Preventing hacker intrusion and theft of network resources has always been the driving force behind the security industry. More experts are constantly proposing new solutions to design and build a more secure protection system, as one of them, network security protocols have been updated all the time to improve the security of network services and ensure that online transaction services are not threatened by the latest risks as much as possible.

This situation also requires the system administrator to constantly adjust the security policies of network servers. The best solution that was widely promoted last year may no longer be applicable this year. Therefore, the requirements for system administrators also need to constantly improve security awareness. At the same time, they also need to obtain updated security information and optimize the deployment of SSL on servers, in order to ensure the security of the server as much as possible.

To improve the SSL deployment Optimization of network servers, we usually recommend that the system administrator note:

Use a more secure cipher suite

This is one of the more confusing parts of the SSL configuration, and it is also the most important one, no matter how powerful the private key length of the current certificate is, however, the SSL cipher suite is also very important because it encrypts the session key.

In this regard, we propose solutions to support common servers.

ApacheSSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2;SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"SSLHonorCipherOrder on;Nginxssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";ssl_prefer_server_ciphers on;

These settings are based on server strength encryption, and interoperability requires support from both the server and the client. That is to say, if an updated cipher suite has been configured on the server, try to use a newer browser, such as Chrome/Firefox.

Disable insecure HTTP calls under the SSL protocol

Generally, we access a website with SSL deployed through a browser. If the website contains some non-HTTPS content calls, the content may be images, external site Javascript, or some other resources on the web page. When you access this website, the browser will remind the current website to contain some insecure content, so that the encrypted status cannot be properly displayed.

 

In this case, the simplest way is to reload the current page in the console using the developer tool that comes with the Chrome browser. All problematic resources will be displayed on the console, you only need to change the resources protected by the HTTPS protocol as much as possible to solve the problem as prompted.

In terms of server security optimization and deployment, this article may have many questions that are not mentioned. At the same time, security is not only a software issue, but also a hardware, such as a router or a firewall.

Today, with the rapid development of computer computing capabilities, system administrators must not only update the security provided by daily systems, but also go deep into the security protocol layer for endless network attack events, only with a better understanding of the Protocol can we defend against attacks at the protocol level.

Therefore, a seemingly simple SSL deployment may involve less simple content.