This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SSL Best Practices

From OWASP
Revision as of 23:03, 2 September 2011 by Jmanico (talk | contribs)

Jump to: navigation, search

Status

This guide is out of date and incomplete. Please see [Transport Layer Protection Cheat Sheet] for information on TLS/SSL configuration and best practice.

What is SSL

SSL is the abbreviation of Secured Socket Layer. It is a protocol enabling to settle a secured communication between two hosts. The origin host is viewed as an SSL client and the destination host as an SSL server.

SSL has also been normalised as the TLS (Transport Layer Security) protocol.

SSL is used on top of a transport level protocol like HTTP or FTP in order to secure it.

SSL enables :

  • authentication of the destination host for the origin host or mutual authentication of both the origin and the destination hosts
  • data confidentiality through encryption
  • data integrity checking through hashing.

SSL relies on two types of encryption :

  • public key encryption in the initiation phase, where authentication takes place
  • secret key encryption when a session has been established and data is sent between two peers which trust each other.

SSL only secures the communication between two endpoints : in the origin and destination points, data is in clear text, unless it is encrypted by another means, at the application level.

How SSL is implemented in J2EE

The following guide explains implementing SSL / 2 way SSL / Keystores etc http://sites.google.com/site/ssljavaguide/Home

HTTPS best practices in general

Secure Login Pages

There are several major considerations for securely designing a login page. The following text will address the considerations with regards to SSL.

  • Logins Must Post to an SSL Page

This is pretty obvious. The username and password must be posted over an SSL connection. If you look at the action element of the form it should be https.

  • Login Landing Page Must Use SSL

The actual page where the user fills out the form must be an HTTPS page. If its not, an attacker could modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the username/password as it is typed.

  • There must be no SSL Error or Warning Messages

The presence of any SSL warning message is a failure. Some of these error messages are legitimate security concerns; others desensitize the users against real security concerns since they blindly click accept. The presence of any SSL error message is unacceptable - even domain name mismatch for the www.

  • HTTP connections should be dropped

If a user attempts to connect to the HTTP version of the login page the connection should be denied. One strategy is to automatically redirect HTTP connections to HTTPS connections. While this does get the user to the secure page there is one lingering risk. An attacker performing a man in the middle attack could intercept the HTTP redirect response and send the user to an alternate page.

HTTPS best practices in J2EE

Examples with Tomcat

By default, Tomcat uses the ciphers that are enabled by the JRE. To remove all weak ciphers:

  • Set the ciphers attribute in the SSL connector inside of conf/server.xml to: "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"

TODO: Enable Unlimited Strength Ciphers

Examples with JBoss

Examples with Jetty

See How to configure SSL for Jetty