In this post, I’ll be talking about a very common vulnerability in HTTPS encrypted connections and how to fix it. Most web server’s or services that uses HTTPS don’t worry about the hardening of its ciphers and protocols.
The main problem is that encryption protocols and ciphers become obsolete over time and new vulnerabilities rises from its deprecation, for an example, SSLv2 and SSLv3 are long considered vulnerable and yet you still can find many services that uses this type of protocol.
Going for what matters, this guide is about setting only the strongest and compliant protocols on your cryptographic connections over Windows and some web services on Linux. The procedures on this guide may need to be tweaked in order to function properly on your environment, as I can’t predict all the possible variations. Here are some benefits of applying this hardening guide:
- It will remediate attacks known as DROWN, Logjam, FREAK, POODLE and BEAST;
- Insecure ciphers and protocols will be disabled, such as SSL 2.0, 3.0, PCT 1.0, TLS 1.0, MD5 and RC4;
- Only TLS 1.1 and TLS 1.2 protocols will be accepted;
- These changes are compliant with PCI 3.1 and FIPS 140-2 practices;
- Old web browsers may no longer function with HTTPS connections, such as Internet Explorer <7.0.
Obs.: It’s highly recommended to use a test environment before applying any change on the production environment.
There’s a tool called IIS Crypto that will do basically everything for you, you can find it here:
- IS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.
Here’s what to do once you download and run it:
- Run it as administrator;
- Click the “Best Practices” button;
- Uncheck the “TLS 1.0” option. TLS 1.0 is no longer recommended or safe. This may crash some RDP (Remote Desktop) functionality;
- Click “Apply”;
As fast as it can be, it’s all done now. If you want to check out the changes that this tool made, do the following:
- Run “regedit.exe”;
- Go to the following folder “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL”;
- Check the new folders and keys generated.
You can also to it all by yourself if you want, check out Microsoft’s guides about it:
Doing this kind of stuff on Linux is a bit trickier, since it has a lot so distros and several types of web services, this guide may not apply for everything. Anyway, there’s also a tool that may help you a lot while doing this, this is a online tool that can be found at:
- Mozilla SSL Configuration Generator
It is a web page where you can set your web service and it’s version, once you’ve done that, the tool displays for you the configuration lines that must be imported onto the file that sets the security characteristics of your web server. If you use Apache or any other technology, just navigate to the folder where this file resides and modify it, remember to always have a backup copy of it.
- Set your technology (yellow);
- Set the “modern” option (Blue). This defines the acceptable protocols and ciphers, only the good ones;
- Set the server version and OpenSSL version. The “HSTS” is a security header option that may be not compatible with older web applications;
- Check the configuration to be imported (green);
All right, you are all good now, at least better than before. The worst down point on doing all this stuff, is that some old browsers may have issues connecting to your web page or service. Older versions of IE like 6 or 7 does not support TLS 1.1 or higher.
If you are worried about this, you can check out this awesome reference on Wikipedia which compiles the support of HTTPS connections on most of the browsers, look after the big table named “TLS/SSL support history of web browsers”
Comments are always welcome!