This month I released an updated version of SSL/TLS Deployment Best practices—my favourite SSL Labs publication—bringing the document up to date again. Given that the previous release was a long time ago (December 2014!), this version has quite a few changes and improvements.
Now, despite the numerous changes, the advice didn’t change that much. The updated version puts more emphasis on using authenticated cipher suites. In practice, we’re not seeing attacks against CBC, but it’s prudent to improve the margin of safety.
There’s been several interesting attacks since the previous version, for example FREAK, Logjam, and DROWN. However, those who followed the earlier versions of the guide wouldn’t have been vulnerable to any of these problems. Still, these attacks are now mentioned in the document. I am also spending more time discussing why it’s important to deploy with strong key exchange.
I’ve also made the guide more practical by giving a recommended list of cipher suites, something I didn’t do before. That one paragraph alone should save the readers a lot of time trying to figure that out on their own. In addition, I added HSTS and CSP examples to help improve site security and get rid of mixed content. Subresource integrity is also mentioned as a way to deal with third-party trust.
There’s also a large number of smaller updates, as well as tips and tricks. The best thing is that the document is now hosted in the SSL Labs’ wiki on GitHub; decoupled from the software development cycle of the main web site, it can now be updated whenever it’s necessary.
I am very happy to continue to maintain SSL/TLS Deployment Best Practices; given the amount of stale documentation that’s out there, having a concise and comprehensive guide to secure server configuration is very important.