4 best practices for managing and tracking SSL and TLS certificates

Do you know what SSL protocols you expose to your users? Are your settings optimized for security? Have you properly deprecated older TLS certs? Here's what you need to know.

Check mark certificate in a binary tunnel / standards / quality control / certification / certifi
Tampatra / Getty Images

Most of us take Secured Sockets Layer (SSL) and Transport Layer Security (TLS) for granted, but over time the use of SSL and TLS certificates has dramatically changed. Once, only websites that handled secure transactions provided protection with an SSL certificate. Now search engines demand everything is protected with certificates. 

Because attackers have used weaknesses in SSL to gain access to credentials, we have deprecated insecure SSL protocols in favor of more secure ones. Many of you likely became aware of the weakness in SSL when the POODLE vulnerability was first disclosed. “Padding Oracle On Downgraded Legacy Encryption” revealed a flaw in how SSL 3.0 handles block cipher mode padding. As noted in the CISA notification:

“While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack.”

Before POODLE, there was BEAST, an SSL attack that enables a “man-in-the-middle (MITM) attack to obtain plaintext HTTP headers via a blockwise chosen boundary attack (BCBA) on an HTTPS session,” according to its CVE description. For both SSL attacks the recommended solution was to move to more secure cypher suites. More SSL attacks include DROWN and HeartBleed.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.