Corporate Website Encryption Best Practices


How can strong encryption be used successfully in our web server environment?

Web servers rely on strong encryption to protect data sent between users and the web server. In the absence of strong encryption, such communications are vulnerable to eavesdropping and modification. This threat could potentially compromise the confidentiality and integrity of financial transactions or other sensitive data exchanged with end users.

There are two steps to ensure that strong encryption is used to protect web communications. One requires the use of a secure cryptographic protocol and the other requires the selected protocol to use strong encryption algorithms. The cryptographic protocol describes how the web user and the server establish communications and exchange encryption keys while the encryption algorithm specifies the mathematical operations used to encrypt and decrypt data.

There are two main cryptographic protocols used on the Web today; Secure Sockets Layer (SSL) and Transport Layer Security (TLS). TLS is the successor to SSL and is generally more secure and preferred over SSL. However, many older web browsers do not support TLS, so web servers used by the general public must also support the older SSL protocol. When configuring the protocols used on a web server, an organization should choose to support both TLS and SSL version 3. Earlier versions of SSL have critical vulnerabilities and should not be used.

To acquire the use of SSLv3 and TLS on a Microsoft IIS web server, see this Microsoft Knowledge Base Article. For Apache servers, include the following directive in your httpd.conf file:

SSL Protocol -ALL + SSLv3 + TLSv1

SSL and TLS support a number of encryption algorithms. It is also important to configure the server to only use encryption algorithms considered secure by the crypto community. For Microsoft IIS setup instructions, see this Microsoft Knowledge Base Article. On Apache servers, use this configuration directive:

SSLCipherSuite RSA:! EXP:! NULL: + HIGH: + MEDIUM: -LOW

With the combination of these two website encryption checks, you can guarantee Web server encryption is in place to protect your web infrastructure.

This was last published in december 2011


Dig Deeper on Disk and File Encryption Tools




Source link

Comments are closed.