What web developers should know about SSL (opens in new tab)

(certsimple.com)

222 pointsmikemaccana10y ago52 comments

52 comments

A less common question we get, that a lot of web devs are interested in is 'How do I mitigate against MITM attacks'.

- As a browser, by using a default OS and watching the root CA store. You can control the key stores on most devices except iOS pretty easily: https://certsimple.com/blog/control-the-ssl-cas-your-browser...

- As a server, setting up key pinning (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) which throws up a browser warning if someone accesses your site with a new key.

1 more reply

daok10y ago

Right from the beginning "EV cert". What is EV? When you write article and it's the first time you use acronym, please define it.

TazeTSchnitzel10y ago

DV = Domain Validation - all that's validated by the certificate authority (CA) is that the person getting the certificate controls the domain

OV = Organisation Validation - the CA also checks that the person getting the certificate is the organisation they claim to be (the cert will contain, for example, a company name or number)

EV = Extended Validation - the CA does additional checks for authenticity and trustworthiness

Typically, sites with EV certificates have the address bar show up green, and the organisation name is visible in it. EV is mostly only used for stuff like online banking. Less important things like Facebook, YouTube and your blog will use cheaper and easier to get DV or OV certificates. Let's Encrypt! gives you a DV certificate since domain ownership is the sole thing it can and does validate.

mikemaccanaOP10y ago

This is a perfect explanation. As a followup to @daok's feedback, I've amended the article to expand EV & provide a link!

frik10y ago

Somewhere I read that EV certs (green bar) are slower because of an additional round trip or so. If it is the case, can someone point me to an article that explains this?

2 more replies

jlgaddis10y ago

It's the main product this company is selling.

mikemaccanaOP10y ago

EV is a standard for identity verification, rather than a product.

Our product is 40-100x faster validation for EV. If you think DV is fine for your app, that's awesome. But if you're thinking about getting an EV cert, we do in an average of 5 hours what others do in 7-10 days.

jbhatab10y ago

Yeah I have no clue what that is.

manachar10y ago

Extended Validation. Usually implies the certificate authority has gone through extra steps to verify the identity of the domain owner.

noja10y ago

The green bar certs that nobody in the world ever looks for.

geofft10y ago

A slightly stronger argument not to use 4096-bit certs is that just about every (intermediate) CA certificate out there is 2048-bit, and there's no security advantage to your cert being 4096-bit if it only has a 2048-bit signature. An attacker can just factor your CA's public key and not care how strong your own public key is.

So it's not just that it slows down your site, it slows down your site without any additional security or other benefit.

mikemaccanaOP10y ago

That's an excellent point - I've added it to the article and credited you.

sarciszewski10y ago

Item number 1: SSL is obsolete, use TLS.

Can we please, as a society, try to move forward with the correct acronym? Everyone who isn't wide-open-vulnerable is using TLS 1.0 or newer. (Personally, I like to run TLS 1.2 only, but my CloudFlare domains still speak 1.0 and I can't turn it off without paying money.)

nailer10y ago

Yep, and people mean 'host name' rather than 'domain name'. But web developers don't care and use the terms interchangably, infosec people know SSL was rebranded into TLS by Microsoft, and none of these things are important since everyone knows what you're talking about and being pedantic would distract from your actual message.

scrollaway10y ago

> try to move forward with the correct acronym?

This won't happen as long as OpenSSL (or libressl) is popular.

marcosdumay10y ago

Luckily, libressl is being discontinued in favor of libtls, that has a saner interface. Or, better, if I understood the strategy correctly, libressl is being transformed into a wrapper of libtls, with frozen functionality until people stop using it.

1 more reply

draw_down10y ago

It's difficult to understand the difference, especially when people use the terms interchangeably.

geofft10y ago

The difference is that SSL was the name for the protocol Netscape invented, and TLS was the name for the protocol that went through a standardization process. SSL 1.0 was Netscape-internal and horribly broken. SSL 2.0 was less so, and after that came SSL 3.0. Then the standards process renamed it and released TLS 1.0, then TLS 1.1, and then TLS 1.2 (and there's now TLS 1.3 under development).

Those TLS versions identify themselves in the handshake as if they were SSL 3.1, SSL 3.2, and SSL 3.3, in fact.

It's basically just like how Windows NT went from 4 to 2000 to XP to Vista to 7. It's just marketing/politics, and the underlying technical version number just kept steadily ticking upwards (2000 was 5, XP was 5.1, and Vista was 6) with no regard for marketing.

sarciszewski10y ago

Easy mode:

    - SSL is outdated
    - TLS is newer

Yes, there are a lot more differences, but if we start today we might be able to retire the use of SSLang in the future.

1 more reply

yuhong10y ago

As a side note, using SSL to just refer to SSLv2 and SSLv3 is a misnomer. SSLv2 and SSLv3 are completely different protocols.

adrtessier10y ago

Seriously. I can understand non-engineering-types calling SSL "SSL" still, but there's a point at which I will begin to date or discredit people's knowledge of "SSL" if they're still referring to it as such (and not to one of the libraries like polar, open, boring, etc.) I don't generally like being a pedant, but SSL and TLS are different things that attempt to solve the same problem, much like WEP and WPA. Most people don't call WPA WEP anymore.

geofft10y ago

It's very different from WPA and WEP. "TLS" was a rebranding as part of the standardization process, for political reasons, and was not merited by any of the actual protocol changes. The wire format of TLS 1.0 looks exactly like how you'd have expected an SSL 3.1 or 4.0 to look, down to the fact that the version number field literally contains 3.1. The data structures are the same, the encoding is the same, many of the algorithms are the same, etc. And many of the protocol bugs are the same, and were only closed down in TLS 1.2.

WEP and WPA are completely different protocols. WEP only supports a shared, fixed encryption key, and in its common mode has no handshake. WPA always uses a handshake and derives a per-session key for encryption, and therefore requires a stateful client. (This is why, e.g., on Linux, you can use `iwconfig` to set a WEP password but you need to run the `wpa_supplicant` daemon for a WPA-password.) WPA's handshake supports EAP, and WEP has no concept of it. And so forth.

Perhaps you're thinking of WPA vs. WPA2? That's much more like SSL 3.0 and TLS 1.0: there was a standardization process between them, the protocol has been adjusted to address inherent security issues, there are more secure algorithms available, etc. but it's still clearly an extension of the original protocol. But here, again, most practitioners and implementors are happy to call both protocols "WPA" without any risk of confusion or inaccuracy.

2 more replies

agwa10y ago

> I don't generally like being a pedant, but SSL and TLS are different things that attempt to solve the same problem, much like WEP and WPA.

That is not really accurate - TLS 1.0 is very similar to SSL 3.0. They're so similar that implementations use much of the same code for both. TLS 1.0 should have been called SSL 3.1, but because of the browser wars between Netscape and Microsoft it was renamed (SSL was invented by Netscape, Microsoft didn't want to adopt a Netscape technology). See http://tim.dierks.org/2014/05/security-standards-and-name-ch...

jzd10y ago

The general public couldn't care less about EV certs.

Important reading: http://webmasters.stackexchange.com/a/9095

1 more reply

TazeTSchnitzel10y ago

Another thing: You should probably go TLS-only. Set up a 301 redirect from HTTP to HTTPS, and set the Strict-Transport-Security header on all HTTPS responses.

It's very easy to do, and ensures all your users get maximal security. The future is encrypted.

Today I did this for my blog: https://github.com/TazeTSchnitzel/blog/commit/792986d18d8583...

geofft10y ago

This is pretty reasonable provided that you're not in danger of having to stop using HTTPS. For our personal blogs, that's probably fine (and hey, I should kick up the timeout on my HSTS header, thanks for the reminder). For a site that you're making for an employer or a customer, you should be certain that they're not going to want to move it over to a non-HTTPS-compatible web host for whatever reason. Most of the time you can be confident about this; sometimes you can't. Strict-Transport-Security is a promise to your viewers that for the next whatever time period you say, you're not going to change your mind about HTTPS.

theandrewbailey10y ago

Re: Point 1

You really only need two ciphers to get to most browsers/clients and good security and speed (replace RSA with ECDSA if needed):

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Example: https://www.ssllabs.com/ssltest/analyze.html?d=theandrewbail...

It baffles me that Mozilla recommends 20 ciphers for their highest security level. I think high security should be more exclusive than that, and with forward secrecy only.

Point 5:

How I imported Let's Encrypt's certificates into a Java keystore:

    openssl pkcs12 -export -name yourdomain -in fullchain.pem -inkey privkey.pem -out pubchainpriv.p12
    keytool -importkeystore -srcstoretype pkcs12 -srckeystore pubchainpriv.p12 -alias yourdomain -destkeystore /path/to/keystore.jks

paulschreiber10y ago

I've compiled lots of resources for moving to HTTPS: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AApl...

Swannie10y ago

A good start. If you want to improve it, please add information about how to consume HTTPS services in a secure way.

Also potentially add an aside for self-signed/enterprise CA, as most web developers will encounter internal systems sooner or later. This makes the above (consuming services) more challenging :-)

angry-hacker10y ago

My addition: if you use SNI cert, expect loads of problems. And I don't mean browser support.

Bing wont crawl you, you have to email the support and maybe they manually whitelist you.

A lot of RSS readers wont work, services like pocket, reddit submissions, mailchimp rss to email etc etc.

It's crazy considering we want to move everything to https only.

marcosdumay10y ago

Add the Hg client to that list.

The amount of software that fails because of SNI is insane. For something that should be done systemwide by a single library, it's also too weird.

angry-hacker10y ago

Yeah, I suspect it's because of Python 2.7.9

So many things are broken because of it. It doesn't have native SNI capability.

discreditable10y ago

> Bing wont crawl you, you have to email the support and maybe they manually whitelist you.

They seem to be doing OK on my site. I've never contacted them.

angry-hacker10y ago

What's the url of your site, if not a secret? Maybe you're lucky your site is being crawled by the "newer"/updated bots that have SNI capabilities.

1 more reply

james-skemp10y ago

You might be slow from traffic, but just in case that's not the case, the linked article loads fine but the home page does not on a 2nd gen Nexus 7.

I see the top navigation followed by a white page, no scrollbar.

nailer10y ago

What browser are you using on the Nexus 7? We test on current Chrome (which I imagine most Nexus 7 users are using).

gcb010y ago

beware of item 4. Android 2.3 is still prevalent in some markets

fredrik-j10y ago

It is of course good to be aware, but legacy Android versions shouldn't be a show stopper for modern TLS.

For general web browsing, I'd expect that both Chrome and Firefox are installable on Android 2.3 and bundle their own TLS libraries.

Other app developers can also vendor TLS libraries, like Bouncy Castle, to support modern encryption on legacy devices.

hsivonen10y ago

Chrome for Android 42 and older requires Android 4.0 or newer. Current versions require 4.1 or newer. What you say about Firefox is accurate, though.

leni53610y ago

What should I know about cert revocation and client support for it?

j / k navigate · click thread line to collapse

52 comments

mikemaccanaOP10y ago

A less common question we get, that a lot of web devs are interested in is 'How do I mitigate against MITM attacks'.

- As a server, setting up key pinning (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) which throws up a browser warning if someone accesses your site with a new key.

1 more reply

daok10y ago

Right from the beginning "EV cert". What is EV? When you write article and it's the first time you use acronym, please define it.

TazeTSchnitzel10y ago

DV = Domain Validation - all that's validated by the certificate authority (CA) is that the person getting the certificate controls the domain

OV = Organisation Validation - the CA also checks that the person getting the certificate is the organisation they claim to be (the cert will contain, for example, a company name or number)

EV = Extended Validation - the CA does additional checks for authenticity and trustworthiness

mikemaccanaOP10y ago

This is a perfect explanation. As a followup to @daok's feedback, I've amended the article to expand EV & provide a link!

frik10y ago

Somewhere I read that EV certs (green bar) are slower because of an additional round trip or so. If it is the case, can someone point me to an article that explains this?

2 more replies

jlgaddis10y ago

It's the main product this company is selling.

mikemaccanaOP10y ago

EV is a standard for identity verification, rather than a product.

jbhatab10y ago

Yeah I have no clue what that is.

manachar10y ago

Extended Validation. Usually implies the certificate authority has gone through extra steps to verify the identity of the domain owner.

noja10y ago

The green bar certs that nobody in the world ever looks for.

geofft10y ago

So it's not just that it slows down your site, it slows down your site without any additional security or other benefit.

mikemaccanaOP10y ago

That's an excellent point - I've added it to the article and credited you.

sarciszewski10y ago

Item number 1: SSL is obsolete, use TLS.

nailer10y ago

scrollaway10y ago

> try to move forward with the correct acronym?

This won't happen as long as OpenSSL (or libressl) is popular.

marcosdumay10y ago

1 more reply

draw_down10y ago

It's difficult to understand the difference, especially when people use the terms interchangeably.

geofft10y ago

Those TLS versions identify themselves in the handshake as if they were SSL 3.1, SSL 3.2, and SSL 3.3, in fact.

sarciszewski10y ago

Easy mode:

    - SSL is outdated
    - TLS is newer

Yes, there are a lot more differences, but if we start today we might be able to retire the use of SSLang in the future.

1 more reply

yuhong10y ago

As a side note, using SSL to just refer to SSLv2 and SSLv3 is a misnomer. SSLv2 and SSLv3 are completely different protocols.

adrtessier10y ago

geofft10y ago

2 more replies

agwa10y ago

> I don't generally like being a pedant, but SSL and TLS are different things that attempt to solve the same problem, much like WEP and WPA.

jzd10y ago

The general public couldn't care less about EV certs.

Important reading: http://webmasters.stackexchange.com/a/9095

1 more reply

TazeTSchnitzel10y ago

Another thing: You should probably go TLS-only. Set up a 301 redirect from HTTP to HTTPS, and set the Strict-Transport-Security header on all HTTPS responses.

It's very easy to do, and ensures all your users get maximal security. The future is encrypted.

Today I did this for my blog: https://github.com/TazeTSchnitzel/blog/commit/792986d18d8583...

geofft10y ago

theandrewbailey10y ago

Re: Point 1

You really only need two ciphers to get to most browsers/clients and good security and speed (replace RSA with ECDSA if needed):

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Example: https://www.ssllabs.com/ssltest/analyze.html?d=theandrewbail...

It baffles me that Mozilla recommends 20 ciphers for their highest security level. I think high security should be more exclusive than that, and with forward secrecy only.

Point 5:

How I imported Let's Encrypt's certificates into a Java keystore:

    openssl pkcs12 -export -name yourdomain -in fullchain.pem -inkey privkey.pem -out pubchainpriv.p12
    keytool -importkeystore -srcstoretype pkcs12 -srckeystore pubchainpriv.p12 -alias yourdomain -destkeystore /path/to/keystore.jks

paulschreiber10y ago

I've compiled lots of resources for moving to HTTPS: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AApl...

Swannie10y ago

A good start. If you want to improve it, please add information about how to consume HTTPS services in a secure way.

Also potentially add an aside for self-signed/enterprise CA, as most web developers will encounter internal systems sooner or later. This makes the above (consuming services) more challenging :-)

angry-hacker10y ago

My addition: if you use SNI cert, expect loads of problems. And I don't mean browser support.

Bing wont crawl you, you have to email the support and maybe they manually whitelist you.

A lot of RSS readers wont work, services like pocket, reddit submissions, mailchimp rss to email etc etc.

It's crazy considering we want to move everything to https only.

marcosdumay10y ago

Add the Hg client to that list.

The amount of software that fails because of SNI is insane. For something that should be done systemwide by a single library, it's also too weird.

angry-hacker10y ago

Yeah, I suspect it's because of Python 2.7.9

So many things are broken because of it. It doesn't have native SNI capability.

discreditable10y ago

> Bing wont crawl you, you have to email the support and maybe they manually whitelist you.

They seem to be doing OK on my site. I've never contacted them.

angry-hacker10y ago

What's the url of your site, if not a secret? Maybe you're lucky your site is being crawled by the "newer"/updated bots that have SNI capabilities.

1 more reply

james-skemp10y ago

You might be slow from traffic, but just in case that's not the case, the linked article loads fine but the home page does not on a 2nd gen Nexus 7.

I see the top navigation followed by a white page, no scrollbar.

nailer10y ago

What browser are you using on the Nexus 7? We test on current Chrome (which I imagine most Nexus 7 users are using).

gcb010y ago

beware of item 4. Android 2.3 is still prevalent in some markets

fredrik-j10y ago

It is of course good to be aware, but legacy Android versions shouldn't be a show stopper for modern TLS.

For general web browsing, I'd expect that both Chrome and Firefox are installable on Android 2.3 and bundle their own TLS libraries.

Other app developers can also vendor TLS libraries, like Bouncy Castle, to support modern encryption on legacy devices.

hsivonen10y ago

Chrome for Android 42 and older requires Android 4.0 or newer. Current versions require 4.1 or newer. What you say about Firefox is accurate, though.

leni53610y ago

What should I know about cert revocation and client support for it?

j / k navigate · click thread line to collapse