SSL/TLS Protocols Security Guidelines

SSL/TLS protocols are pervasive throughout information systems and the internet. They protect the confidentiality of communication. HTTPS protocol is one of the more often applications that make use of SSL/TLS for encrypting communication between browser and website. A typical example is that to make sure the confidentiality and integrity of an online transaction. However, vulnerabilities exist in some SSL/TLS protocols if they were not configured properly. The risks of information security will be increased.

HKCERT analyzed common security problems in using SSL/TLS according to the data collected by the SSL Pulse project from the first publish date of project (April 2012) to 7th May 2015 . It was discovered that more than three quarters of tested websites were rated “Inadequate security” (B or below) in the QUALYS SSL Server Test. Moreover, only a quarter of websites were rated ‘A’ in the aforementioned test. This indicated that there are huge margins for improvement and that the security of SSL/TLS implementation in websites is a huge concern.
 

Instruction: Use the “Check-Remedy-Verify” approach to secure your website’s SSL/TLS deployment.

This guideline is divided into 2 parts. Part 1 of this guideline is “Check”, which introduces how to use free tools to “Check” website’s SSL/TLS protocols and configuration. You will get a security ranking and a test report upon test completion. Then you can pass the testing report to the technical staff to perform the remediation.

Part 2 is “Remedy”, which introduces how to secure SSL/TLS and related suggested configuration. To improve the SSL/TLS security ranking of your website, technical staffs can “Remedy” the vulnerable settings by followi    ng the advices. After that, you can “Verify” the improvement on SSL/TLS security by rerunning the same checking in part 1.
 

For more detail, please go to HKCERT Security Guideline on
/my_url/en/guideline/16030301