Ask HN: SSL certificates
There has, over the last year or so, been quite a number of interesting crypto-related news coverage related to not inconsequential vulnerabilities and issues. In briefest terms, I'd like to get an idea of what the current best practices/recommendations are regarding deploying applications/services that will operate over HTTPS. For starters--though I'd love to hear beyond where applicable--if someone is launching a new product wanting to be as up-to-date on best security practices in this regard, a few questions:
1. What is the current recommendation for SSL certificates regarding strength, cipher types, etc.? Do wildcard certs have special needs worth being mindful of that non-wildcard certs do not?
2. Any recommendations on reputable, reliable, and trustworthy vendors for securing a new SSL certificate that meets current best-practice expectations?
3. Aside from ensuring a server is up-to-date with all security-related releases/patches, what else should one be mindful of in setting up and deploying a product/service that needs to be secure?
Thanks in advance to all.
17 comments
[ 1.8 ms ] story [ 30.6 ms ] threadFrom my experience using SSL Lab's web-based test[1] on all of them, the issue is less with the cert vendor and more with the server configuration. All the vendors I have used recently will use a 2048 bit RSA key which will grade as A just fine on SSL Labs. But it's pretty easy to get lower grades by not having an up-to-date server which restricts broken ciphers like TLS 1.0 and SSL. Or by having broken certificate chains.
My favorite vendor is DNSimple because of their extremely easy process for generation, but they are just reselling Comodo certificates.
1. https://www.ssllabs.com/ssltest/
2) For lowest cost and no bullshit, I'd go with CertSimple (https://certsimple.com), or DigiCert (https://digicert.com).
3) As mentioned below, SSLLabs will point out if any of your config is risky. Besides that, you might want to add a 301 URL redirect to your web server to force people to only use SSL and avoid the fatal mistake of someone forgetting to type http_s_.
Have fun!
Is there a best practice to prevent users making this first incorrect request in the first place?
Also cookies also have a 'secure' flag.
Is there any advantage of this over doing it at a DNS level?