Best practices for SSL / TLS security for websites if you have control over all Client Browsers / Operating systems.
Due to the current breakneck speed of vulnerabilities discovered and exploited in various SSL/TLS implementations, I will try and keep this page updated as much as possible with any new issues or vulnerabilities when they arise!
I will split the recommendation into 2, the first section will include which SSL/TLS features to enable or disable. The second will be for ciphers!
Features to be enabled:
- SSL v2 and v3 should be disabled (Protect against BEAST and POODLE attack)
- TLS v1.0 should also be disabled (Protect against BEAST and POODLE attack)
- Only TLS v1.1 and v1.2 should be enabled
- TLS compression should be disabled (Protect against CRIME attack)
- Secure Renegotiation should be enabled
- Forward Secrecy should be enabled
- All ciphers below 128 bit should be disabled
- ECDHE based ciphers should be prioritized
- RC4 based ciphers should be disabled
- The following Ciphers should be enabled and given highest priority.
These three ciphers should support the following browsers and operating systems:
- Chrome 36 onwards on Windows 7 and 8
- Android 4.4.2 or higher
- Firefox 31 or higher
- IE 11 or higher (Desktop and Mobile)
- Safari 6 on iOS 6.0.1 or higher
- Safari 7 on OS X 10.9 or higher
I will be doing a following post on the current best practices to strike a balance between browser support and security.
Qualys has an excellent SSL Tester to test your site if its accessible over the internet.