Secure deployment and configuration of SSL to avoid SSL Vulnerabilities

Source: Internet
Author: User

Security Socket Layer (SSL) has been under attack since Netscape was developed in 1994. Security and Integrity of X.509 Public Key Infrastructure have also encountered many problems recently. Despite many warnings about SSL security, if correctly deployed and configured, SSL can still be used to protect data transmission between insecure networks. In this article, we will discuss the threats that SSL vulnerabilities pose to enterprises, and provide methods for secure deployment and configuration of SSL.
 
SSL security issues
 
As more and more people rely on SSL to protect their communication, the insecure use of SSL poses a greater threat to enterprises and users than it was two years ago. Recent attacks include man-in-the-middle attacks against Comodo and DigiNotar certification bodies, and other attacks such as counterfeit intermediate CA or server certificates (which can be used to attack SSL connections) issued by the PKI Certificate Authority (CA. These certificates can even be used by enterprises to monitor communications in their own networks.
 
The bigger problem is that SSL does not provide the functions that web applications or systems need to protect data or systems. SSL only provides powerful protection for data transmitted over the network, encryption technology can protect data in many other places. If SSL or encrypted deployment is insecure or the system is insecure, the encryption algorithm used to protect the system will become meaningless.
 
In addition to the problems existing in the SSL core encryption technology and key exchange method, more security problems occur in enterprise SSL deployment. These problems include the use of weak encryption technology, and use the same certificate for different host names.
 
Resist SSL Vulnerabilities
 
When vulnerabilities are detected in SSL, enterprises should promptly update patches to ensure that most programs are repaired and protected like other software. Due to the complexity of SSL and the diversity of devices supporting SSL, this may be a daunting task. If the hotfix is not backward compatible, it will take a lot of time and effort. Like any other patch fix, SSL patches must be fully tested to ensure that they do not break any function. The testing system may also need to be connected to the patch system to ensure that they are still accessible.
 
To prevent SSL vulnerabilities, enterprises can take appropriate protection measures from three aspects: users, customers, and services. Enterprises can protect users by installing a browser plug-in that enforces the use of SSL, including the FireFox plug-in of the Electronic Frontier Foundation (known as HTTPS Everywhere ), this plug-in will force SSL When SSL is available. The Convergence tool also provides better control over CA trusted by browsers. Enterprises should also conduct security awareness training for users to ensure that they always use secure connections. Users do not have to make complicated technical decisions on how to protect their connections, but they should understand the importance of using secure connections. These protection methods also apply to enterprise customers, but enterprises can only provide secure connection services to help them consolidate their good connection habits.
 
Enterprises should also ensure that the old and insecure SSL deployment has been disabled to defend against degradation attacks. In such attacks, the client system is tempted to use insecure connections. IETF (Internet Engineering Task Group) has been committed to improving SSL to improve the security of the SSL system.
 
Conclusion
 
If it is correctly deployed and configured, SSL can still protect data transmission. However, we are more familiar with the risks and vulnerabilities caused by insecure use of SSL.
The core encryption technology and key exchange method are the core of discovering new attack forms and improving work. However, the deployment process still determines the security of SSL to a greater extent. End users may never notice these improvements, but enterprises, Server Operators, and software developers must implement these improvements and upgrades. In the past two years, people have gradually realized the importance of SSL. More and more users are using different networks or devices to access social networks and the Internet. However, no matter how they choose, they still want encrypted connections to protect their use of the Internet.
Author: Nick Lewis Translator: Yang Fan Source: TechTarget China

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.