Best Practices and

Applications of TLS/SSL
By Larry Seltzer
Security Analyst and Writer
Best Practices and Applications of TLS/SSL
The most well-known example of the use of public key infrastructure has proven flexible
enough to assist in authentication, encryption and data integrity in numerous applications
throughout the enterprise.

By Larry Seltzer, Security Analyst and Writer

Executive Summary
Table of contents
Transport Layer Security or TLS, widely known also as Secure Executive summary 1
Sockets Layer or SSL, is the most popular application of public Introduction 2
key cryptography in the world. It is most famous for securing What is TLS/SSL? 2
web browser sessions, but it has widespread application to - Digital Certificates 2
other tasks. - Authentication and Verification 2
Key Security 3
TLS/SSL can be used to provide strong authentication of both - Encryption 3

parties in a communication session, strong encryption of data - Where TLS Works In the Stack 3
TLS vs. SSL 4
in transit between them, and verification of the integrity of that
Networks Are Insecure By Default 4
data in transit.
- Authentication 4
- Privacy and Integrity 4
TLS/SSL can be used to secure a broad range of critical
- Solutions 4
business functions such as web browsing, secure server-to-
Trusted Certificate Authorities 5
server communications, e-mail client-to-server communications, - Trusted Roots 5
software updating, database access, virtual private networking - Self-Signed Certificates 5
and others. - Authentication Does Not Prove Trust 5
Extended Validation (EV) SSL 5
However, when used improperly, TLS can give the illusion of Not Just For Web Browsers 6
security where the communications have been compromised. Client Security with TLS/SSL 6
It is important to keep certificates up to date and check rigorously - Wireless 7
for error conditions. - SSL VPN 7
Server-to-Server Security with TLS 8
Web and Intranet Servers 8
In many, but not all applications of TLS, the integrity of the
- Common TLS Mistakes 9
process is enhanced by using a certificate issued by an outside
Hosted Service Security with TLS 9
trusted certificate authority.
Certificate Expiration 9
Certificate Revocation 9
This paper will explore how TLS works, best practices for its
Self-Signed Certificates 10
use, and the various applications in which it can secure business Certificate Management 10
computing. Conclusions 11
Additional Reading 11

1
 Best Practices and Applications of TLS/SSL

Introduction This paper will also discuss trusted certificate authorities

(“CAs”) and their role in the public key infrastructure or PKI.
As the science of business computing, and of computing
Though trusted CAs aren’t always necessary, in many cases
security in particular, has advanced, the trend has been to
they are beneficial and sometimes necessary for the protection
find security weaknesses everywhere. Where complexity
to have any effect.
and functionality grow, so do the opportunities for abuse of
systems by malicious actors.
What is TLS/SSL?
The solutions to these problems are varied and must TLS/SSL is a tunneling protocol that works at the transport
be explored individually, but one technology shows up often: layer. It provides encryption, authentication and integrity verifi-
TLS or Transport Layer Security, often known by the name of cation of data, and does so by means of digital certificates.
the predecessor technology, SSL or Secure Sockets Layer.
- Digital Certificates
TLS is best-known as the technology which secures web A digital certificate is an electronic document which confirms
browser sessions for banking and other sensitive tasks, but it the identity of an entity – which could be a user, a server, a
can be used for much more. Client-server communication with company, a program on a client, just about anything – and
a variety of server types, in addition to web servers, benefits associates that entity with a public key. The digital certificate
from use of TLS. Server-to-server communications also need is the entity’s identification to the public key infrastructure.
to be secured and can be through TLS. Clients updating Each party to a TLS-secured communication can evaluate
applications and other software on their PCs should only do the contents of the certificate. The most examined field is the
so through a secure connection, which is why such update Common Name. Each then compares it to what they expect.
applications usually use TLS or SSL. This paper will explore It is also wise to check the issuer of the certificate. Is the issuer
these and other applications of TLS which can secure the a trusted party? For more on these issuers see Trusted
enterprise in the myriad places in which it can be attacked. Certificate Authorities.

Users can generate their own digital certificates, called

self-signed certificates, with free tools1. But such certificates
are inherently untrustworthy and the real value of certificates
comes when they are issued by a trusted CA. Users can
create and run their own CA on your network and sometimes
this makes sense, but in many cases it is necessary to use
an outside trusted CA which outside parties can also trust.
VeriSign Authentication Business Unit, now a part of
Symantec is the largest of these.

- Authentication and Verification

Public key cryptography allows two parties to authenticate
each other. Each party has two keys, which are large numeric
TLS provides 3 basic benefits:
values. A message exchanged between the parties is run
• It provides authentication of the communicating parties,
through a hashing algorithm. A hash function takes a block of
either one-way or in both directions
data and creates a value from it, known as a hash or digest.
• It encrypts the communication session “on the wire”
Make even a small change in the data and the hash changes
• It ensures the integrity of the data transferred

The OpenSSL Project - http://openssl.org/. Microsoft’s crypto tools (http://msdn.microsoft.com/en-us/library/aa380259(VS.85).aspx) are included in the Windows
2
1

SDK (http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx)
 Best Practices and Applications of TLS/SSL

What is TLS/SSL? (cont’d)

- Encryption
significantly. At the same time there is no way to recreate the
data from the hash. Even when authentication is not used, TLS can use encryption
keys and a cipher algorithm to encrypt/decrypt data for
The sending party to the communications uses their private communication. The cipher is also used for encrypting the
key to encrypt the hash value. This encrypted value is called message digest.
a digital signature. The message and signature are sent to the
recipient party. The recipient party uses the sender’s public There are many different cipher algorithms for different
key to decrypt the signature. They generate a hash of the circumstances. See the TLS vs. SSL section below for
message using the same algorithm as the sender and more on ciphers.
compare the values.
- Where TLS Works In the Stack
If the values are the same then two things are certain: the TLS/SSL sits between the application and transport layers.
data has not been tampered with and the sender is who they In the context of the Internet and most local networking, this
purport to be. This is because the private key corresponding to means it sits above TCP or Transmission Control Protocol, the
the public key in the certificate was used to sign the data, and protocol which provides reliable, ordered data communications
the private key should only be accessible by the sender named for applications. Applications that would normally work with
in the certificate. TCP connections instead work with TLS connections for the
purpose of establishing connections.
Neither authentication nor integrity verification are mandatory
in TLS. You can use it simply so that the bits on the wire are
Application TLS Handshake
encrypted. But authentication is a core feature, important to
TLS Record
most customers.
TCP (reliable transport)
IP
Key Security Network Interface
Wires (infrastructure)
There are some absolute rules which need to be followed in
order for the public key infrastructure to work properly.
TLS requires a reliable transport, which means TCP. This
Private keys must be private: The signer of a message needs means that UDP-only applications like DNS, SNMP, and VOIP,
to keep their private key absolutely confidential. Anyone who present a problem. See SSL VPNs for more on this problem.
has it can effectively impersonate the sender.

Public keys must be public: Well, not necessarily public, but

they have to be accessible to anyone who might have a valid
reason to read the message or encrypt a message to the entity
named in the certificate.

Hash algorithms must not collide: A collision is when the hash

algorithm generates the same digest from two different data
blocks. At some point this is inevitable, but the ability to gener-
ate collisions intentionally compromises all functions of public
key cryptography. This is why new and better hash algorithms
have been developed over time and put into public use.

3
 Best Practices and Applications of TLS/SSL

TLS vs. SSL passwords controlled by rules which don’t follow best prac-
tices. It’s no surprise that things are this way; following best
TLS is the successor technology to SSL, which was developed
practices for passwords is difficult and unpleasant: you have to
by Netscape in 1994.2 The first public release was SSL version
use passwords that are long and difficult to remember and you
2, and was quickly followed by version 3. The TLS specifica-
need to change them frequently.
tion was released in 1999 in RFC 22463, and is only a minor
modification of SSL 3.
Even server-to-server connections are often authenticated
with passwords which are hard-coded into programs or
Changes have come at a much slower pace since then, with
configuration files.
TLS 1.14 and 1.25 largely concerned with security improve-
ments. TLS is still widely called SSL, especially in product
names, even if the term is strictly inaccurate. Don’t be sur-
prised to see the terms used interchangeably. TLS versions
are designed to interact with and roll back to earlier protocols
such as SSL 3. In fact, in the protocol handshake, TLS 1.0, 1.1
and 1.2 use the version numbers 3.1, 3.2 and 3.3.

One of the main differences you’ll see between SSL and TLS
versions are the cryptographic features, including the ciphers,
hash algorithms and key exchange mechanisms they support.
As time and versions advance, support for weaker features
is dropped from the protocol and stronger ones added.
Administrators on either end of the communication can set
policies requiring or prohibiting particular protocols. It’s
reasonable to claim that the flexibility of TLS with respect to
new developments in ciphers and other cryptographic features
- Privacy and Integrity
is one of the main reasons for its success.
When communications are not secured properly you can’t
be certain that the data has not been monitored or tampered
Networks Are Insecure By Default
with in-transit. Attacks known as “man in the middle” (MITM)
All of our important networking protocols were designed attacks, where the attacker sits on the network monitoring
before security issues were properly appreciated. A great communications between one party and another, are not un-
deal of research has gone into making communications common. Such attacks can, for example, steal usernames and
secure, but in most cases it has to be added on. By default, other unsecured data on the connection.
our networks are insecure.

When combined with spoofing techniques, the MITM may even

HTTP, SMTP and FTP were all designed to communicate in modify the data, such as change destination URLs so that you
clear text. All of them can be enhanced to support encryption click on a link which directs you to an attack server.
and often the solution uses TLS. Only with HTTPS, however,
which is HTTP over TLS/SSL, is such security ubiquitous. - Solutions
Many products are now designed better than they were in the
- Authentication past to provide secure configuration out of the box. Microsoft in
Authentication in most networks is weak, usually relying on particular has made significant progress in this regard in

2
Mozilla.org SSL 0.2 PROTOCOL SPECIFICATION - http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html. This version was widely known as “version 2.”
3
RFC2246 - The TLS Protocol Version 1.0 - http://tools.ietf.org/html/rfc2246 4
4
RFC4346 - The Transport Layer Security (TLS) Protocol Version 1.1 - http://tools.ietf.org/html/rfc4346
5
RFC5246 - The Transport Layer Security (TLS) Protocol Version 1.2 - http://tools.ietf.org/html/rfc5246
 Best Practices and Applications of TLS/SSL

Networks Are Insecure By Default (cont’d) Application software may use the operating system trusted root
list or include their own. Some web browsers on Windows use
recent years. But at the level of network communications and the Windows list, but Firefox uses its own list.
authentication, security is still the responsibility of the network
administrator. One more characteristic of certificate trust is that root certifi-
cate authorities often have affiliate programs. This allows other
In many of these cases TLS can help. It can provide authen- companies to sell certificates on behalf of the trusted root CAs.
tication where none exists by default. TLS can provide strong In fact the affiliates can have their own affiliates. The “parent”
encryption where data would normally flow in clear text. And it CA signs the affiliate CA’s certificate so software can prove
can ensure that data was not modified in-transit. that they are a valid affiliate. The TLS client software “walks”
up this hierarchy of CAs, checking the validity of the signatures
Trusted Certificate Authorities at each step, until they reach one which is a trusted root. This
If you are using TLS purely for communication over your own establishes the trust of the whole hierarchy.
networks it may be adequate to use an internal certificate
authority and set your systems to trust it. However, the hassle - Self-Signed Certificates
and cost of setting up an internal CA often drives businesses to Digital certificates need not be signed by a trusted CA. Such
do otherwise. Also, if data is sent over the Internet, where you certificates, when generated by tools separately, are called
don’t control all points of transit, the only way all parties can self-signed certificates. Such certificates can be used to pro-
trust the certificate is if it was issued by a trusted third party vide encryption of data, but no authentication. See the section
certificate authority. on self-signed certificates for more on this subject.

- Trusted Roots - Authentication Does Not Prove Trust

Because it’s unwise to rely completely on Internet commu-
There are many unfortunate cases of users and organizations
nications to prove the issuer of a certificate, many software
being attacked successfully for trusting a communication sim-
products come with a list of “trusted root certificates.” These
ply because it was signed. But a signature, even one issued by
certificates are inherently trusted and other certificates signed
a certificate authority, is not proof that the party is trustworthy.
by those trusted roots are also trusted.

Authentication gives you definitive information as to the identity

Microsoft Windows includes a list of trusted root certificates
of the other party which you can use to make an informed trust
which they update periodically through Windows Update and
decision. You can look at the identifying fields in the certificate,
their other updating mechanisms. Many other operating
such as the Common Name, to see if it matches the entity you
systems have similar lists.
expected. You can also look at the Issuer field, which identifies
the certificate authority which issued the certificate, and make
decisions as to its trustworthiness. As we will see below, differ-
ent certificates have different amounts of information on them
about the identified entity and about the issuer.

Extended Validation (EV) SSL

The workings of digital certificates themselves have been well-
established for many years, but the rules for their issuance by
trusted CAs has not. The standards of many CAs for issuing
certificates reached such a point several years ago that many
CAs and vendors of TLS software formed the CA/Browser
 

5
 Best Practices and Applications of TLS/SSL

Extended Validation (EV) SSL (cont’d) other less-standardized approaches.)

• Outlook to Exchange – Outlook to Exchange over RPC

Forum (www.cabforum.org) to establish standards. The resulting over TLS is becoming popular as a secure external access
standard is EV SSL, where EV stands for Extended Validation. method, but there are reasons to use it internally as well.
In this case you replace the default self-signed certificate
Users generally know EV SSL as the thing that turns their web in the Exchange server with a real TLS certificate from
browser bar green. More fundamentally it is a new class of a trusted certificate authority. This is standard operating
TLS certificate issued when the applicant meets certain strict procedure now with Exchange hosting services.
standards for proving its identity established by the CA/Browser
• Windows Update – Before Windows Vista, Windows
Forum. There are also differences in the way browsers behave
Update was simply a web site in Internet Explorer which
when interacting with EV SSL certificates, particularly the green
used HTTPS. In more recent versions of Windows it is a
browser bar indicator and a clear display of the organization
custom app secured by TLS. Many other online software
name.
update programs, such as the getPlus program used by
Adobe, use TLS connections for security.
The rules for the entities are rather strict: they must be a legally-
recognized entity, either incorporated or a governmental body or
some registered non-profit. You cannot get a personal EV SSL Client Security with TLS/SSL
certificate. The CA has to verify the legal existence as well as Client side certificates can be used with TLS to prove the
the physical existence and operational existence of the applying identity of the client to the server, and vice-versa. This is called
entity. The CA must confirm that the entity has the right to use “two-way TLS” and requires the client and server both provide
the domain and that the person applying is authorized to do so. 6
certificates to each other.

The end result of these standards is that it would be extremely There are standards-based systems for administering TLS in
difficult, and likely expensive, to obtain a false EV SSL certifi- this role. Active Directory in Windows manages them8 and uses
cate. As a result of all the work needed to meet the standards, certificates stored either in the client or using smart cards or
EV SSL certificates are much more expensive than conven- other strong authentication devices.9 OpenLDAP is an open
tional TLS certificates. source directory service which accomplishes much the same.10

Not Just For Web Browsers In spite of the greatly improved security from using strong

TLS and SSL are best-known for securing web browser authentication mechanisms like TLS certificates, it has not been

communications, but they are by no means limited to HTTP. a typical configuration. In exchange for the security you get a

Many other applications and protocols use TLS for security, fair amount of complexity and administrative work, plus clients

generally as an option. Some examples follow: can only log in when they have their client certificate. But recent
versions of Windows Server have made it much easier to have

• FTPS – A secure version of the ubiquitous file transfer pro- certificate and other credential data independent of the user

tocol secured with TLS. Conventional FTP transmissions profile, allowing users to move to different computers and still

are in clear text. FTPS has been an official RFC since authenticate. Still, this is a higher-cost setup than the use of

20057 and an unofficial one for 10 years before that. It has passwords and most organizations would consider it only for

widespread support in FTP software. (Not to be confused high-value or vulnerable connections.

with SFTP, which is FTP through an SSH session, or many

6
CA/Browser Forum EV SSL Certificate Guidelines - http://www.cabforum.org/documents.html
7

8
RFC 4217 - http://tools.ietf.org/html/rfc4217
Active Directory Certificate Services - http://technet.microsoft.com/en-us/windowsserver/dd448615.aspx
6
9
Smart card and other certificate authentication - http://technet.microsoft.com/en-us/library/cc758410(WS.10).aspx
10
OpenLDAP, Using TLS - http://www.openldap.org/doc/admin24/tls.html
 Best Practices and Applications of TLS/SSL

Client Security with TLS/SSL (cont’d) - SSL VPN

Virtual private networking is a must for secure communications
The default for the LDAP protocol itself is unencrypted by over the Internet. There are two popular methods: IPSec and
default. Under LDAP version 2 it was common to use a non- SSL VPN.
standard setup called “LDAPS” which tunneled LDAP through
a TLS tunnel on port 636.11 LDAP version 3 added a standard IPSec15 is an end-to-end protocol for authenticating each packet
extension for TLS. 12
in a TCP/IP network. It operates at the Internet layer of the
network, i.e. below the transport layer. This is significant for its
- Wireless application.

A secure wireless network requires stronger authentication than

SSL VPNs create a tunnel above the transport layer. All applica-
the shared secret password used on your home router. Through
tion network communications goes through the tunnel.
the WPA and WPA2 security standards, all wireless networks
IPSec is a widely-implemented and deployed Internet standard.
support Extensible Authentication Protocol (EAP), a framework
SSL VPN is not a standard as such, but widely implemented
for authentication methods for access to the network. Dozens of
and deployed.
such methods have been implemented.13

Because IPSec operates at one of the lower levels of the

The main point of EAP in a wireless access point or router is to
Internet protocol stack, it can transport almost anything you
allow it to hook into an enterprise authentication system such
need and with minimal overhead. SSL VPNs operate above the
as your LAN or WAN. In this scenario, you should demand the
transport layer and require a reliable transport; this means that
highest level of authentication on the access point itself and
applications which use UDP for transport cannot be supported
very high levels from clients connecting to it. TLS is a good
in a straightforward way through an SSL VPN. Either they have
choice.
to run outside the tunnel or the UDP packets have to be re-
encapsulated in TCP before transport.
EAP-TLS14 is one of the methods widely, if not universally,
supported in the wireless industry and one of the strongest, if
Whether encapsulation of UDP is a problem for the
carefully implemented. It uses normal PKI methods to secure
application depends on a number of factors: The quality
connections to a RADIUS server. EAP-TLS is supported out
of the SSL implementation, the speed of the connection and –
of the box in all major operating systems, including the open
perhaps most importantly – the tolerance of the application
source ones.
for “lossy” transport.

The main difficulty with EAP-TLS is that clients need to have in-
Applications which use UDP do so for performance reasons, but
dividual certificates, and they need careful management. In this
need to expect some level of packet loss, if only because UDP
sense it is the same as client certificates on the LAN: a straight
doesn’t guarantee delivery. The most important UDP application
trade-off of security for ease of administration.
is probably VOIP, and some implementations tolerate encap-
sulation fairly well. Other real-time UDP applications, such as
Several other EAP methods use TLS in different ways, gener-
streaming video and some multi-player games don’t fare as well.
ally in order to avoid the need for client-side certificates and the
Some VPN/firewall products support both TLS and IPSec for
administrative burden. They necessarily trade off security for
users who need both.16
this ease of administration, as credentials can be lost relatively
easily and their loss may be difficult to detect.

Microsoft Knowledge Base, How to enable LDAP over SSL with a third-party certification authority - http://support.microsoft.com/kb/321051
7
11

12
RFC 2830, Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security - http://tools.ietf.org/html/rfc2830
13
Wikipedia, Extensible Application Protocol - http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
14
The EAP-TLS Authentication Protocol - http://tools.ietf.org/html/rfc5216
15
An Illustrated Guide to IPsec - http://www.unixwiz.net/techtips/iguide-ipsec.html
16
Thanks to Gary Tomlinson and John Gmuender of Sonicwall (www.sonicwall.com) for their help in understanding the problem of UDP on SSL VPNs.
 Best Practices and Applications of TLS/SSL

Client Security with TLS/SSL (cont’d) of the other as possible.

So why not just use IPSec for all VPNs? Because they are com- Beyond that, there are good reasons in such cases for using EV
paratively difficult to administer and use. When you’re setting up SSL certificates. Research has shown that weaknesses in the
individual users or small groups remotely, an SSL VPN will be certificate authority validation procedures for many conventional
much easier to support, especially if the application needs are SSL certificates leave them vulnerable to man-in-the-middle
simple. Site-to-site VPNs, where whole networks are connected attacks.18
over the Internet, need the power and flexibility of IPSec.
Briefly, the problem comes with the very inexpensive domain-
Many application-focused remote access methods are validated certificates. These certificates validate a domain name,
TLS-based, and some are SSL VPNs repackaged as remote not an organization, and the domain name is the only identifying
access for the product. The Citrix Secure Gateway is such data in the certificate.
a product. 17

Part of the reason they are so inexpensive is that the

Server-to-Server Security with TLS application and validation procedures are completely
automated in many cases. A confirmation request is sent
Many server-to-server connections offer TLS as an option and it’s
in e-mail to the administrative contact for the domain.
an excellent one, especially when the connection is run over the
Whoever controls that e-mail account can authorize the
public Internet. A full VPN in such cases is inadvisable, as the
certificate. Combined with software vulnerabilities in some
application needs are narrow and certificates can be used to
TLS software, this process can be abused to allow spoofing of
provide strong authentication of the servers to each other.
a domain certificate and perhaps a man-in-the-middle attack.

The advantage of EV SSL in this case is that the EV SSL

specification guarantees that an organization name and other
data will be in the certificate and will be verified by the CA. For a
high-value connection it’s worth having this assurance. EV SSL
support in such cases may require custom programming.

Web and Intranet Servers

Perhaps it’s too obvious to point out, but TLS can be used to
secure a browser-web server connection. It is worth thinking
about the extent of your TLS usage for both internal and
Connections such as these are almost always high-value. external sites.
Consider web servers talking to database servers or mail
servers synchronizing with each other. The data in the HTTP is a profoundly insecure protocol without TLS. It is
connection is a treasure trove for an attacker. Products such plain-text, easily sniffable, and easily manipulated. Even on
as Microsoft’s Exchange Server and Oracle Application Server an internal network you should use TLS/HTTPS for all
support TLS with certificates out of the box. sufficiently valuable business connections.

When interacting across the Internet, certificates from a If performance were not a consideration it would be worth u
trusted certificate authority are highly recommended. Each sing TLS on all internal web connections, but the performance
party should make as few assumptions about the security impact can be an issue.

17
http://www.citrix.com/English/ps2/products/product.asp?contentID=15005
18
Spoofing Server-Server Communication: How You Can Prevent It - http://www.verisign.com/ssl/ssl-information-center/ssl-resources/whitepaper-ev-prevent-spoofing.pdf 8
 Best Practices and Applications of TLS/SSL

Web and Intranet Servers (cont’d)

Hosted Service Security with TLS
- Common TLS Mistakes Outsourced services through the web are increasingly popular
for good reason. Web-based services can work at least as
Don’t make the mistake of assuming that a TLS implementation
well and save on staff, infrastructure and capital costs. Any
secures your web site and that’s it. There are many common site
respectable service offered in this way will use a protected
design mistakes which defeat the security of TLS.
connection, probably TLS.

Keep sensitive data out of URLs – When you use

A common reason why companies move to outsourced servers,
HTTP GET methods with parameters that have critical
mostly Microsoft Exchange, is to get easier support for mobile
data in them you expose that data to the whole world.
devices like Blackberries. It’s important, if this is one of your
Envision a URL like this one:
needs, to buy TLS certificates that are natively supported by
ActiveSync or whatever service you will be using for your devices.
https://personnel/employees/lookup.asp?last=Smith&ssn=123-45-6789
Hosting services report that getting TLS connections working
properly is typically the biggest ramp-up problem they have.
There are many reasons why this is a bad idea. But first, the
TLS connection will encrypt the URL, so at least users sniffing
Certificate Expiration
the network won’t see the URL and the parameters. On the other
hand, the URL will be stored in the web server log, in the client Digital Certificates come with an expiration date, and for good
browser history, and in referrer headers. This last point means reason. By issuing a certificate the CA is vouching for the
that if there is a link, particularly a non-TLS link, out of the page applicant, and it’s possible for such information to get “stale”.
linked to just above, the full URL will be included in the headers Even with internal certificates there’s reason to have and check
sent to that server. expiration dates. In fact it’s more reasonable for internal certifi-
cates to have short expiration dates, since it’s easier to distribute
Use “Secure” Cookie Flag - The “secure” flag will tell the them, and the issuing authority in IT is probably the same group
server to send cookies only over a TLS connection. There are who administer the certificates in the user directory.
numerous attacks to hijack cookies, and cookies often contain
the most sensitive of data. Cookies can be stolen through simple Some argue that expired certificates are just as trustworthy, or
packet sniffing, session hijacking, cross-site scripting, or cross- almost as trustworthy, as a “live” one. But an expired certificate
site request forgery. It’s still not uncommon to find significant web is, at the very least, a sign of administrators who don’t pay close
sites that use insecure cookies in HTTPS sessions. attention to their servers.

Do Not Mix TLS/SSL and Non-TLS/SSL Content - Just Certificate Revocation

because your page has an HTTPS link doesn’t mean all the Revocation is an essential feature of the public key infrastructure,
content will. If there’s a frame or an image or some other element one which can’t be taken too seriously.
that is called with an HTTP link, it will not be TLS-protected. Most
browsers won’t warn users about the inconsistency. For a number of reasons a certificate authority may revoke the
certificate of a customer. It could be for violating the terms of ser-
Do Not Perform Redirects from Non-TLS/SSL Page to TLS/ vice, for instance by serving malware from the site, or it could be
SSL Login Page - Even today there are major banks which use because the customer informed the CA that the private key had
http on their login pages and redirect to https from there. This is been compromised.
an invitation for phishing pages and other sorts of abuse. Unfor-
tunately, users usually get to https pages from http pages, but When a certificate is revoked you have to assume that the holder
the better way would be from a browser bookmark known to be is not trustworthy; it’s a lot worse than a site not having a certifi-
secure or to enter the URL manually. cate at all.

9
 Best Practices and Applications of TLS/SSL

ensure its integrity in transit, but it provides no authentication.

How do you check? You don’t usually check it yourself. Your You can’t make any assumptions about the other party.
TLS software (usually a browser) does it by one of two meth-
ods: CRL, which stands for certificate revocation lists, is the Note that self-signed certificates are not the same as creating
old method. The certificate itself may contain the address of a an internal certificate authority. A company can create their
revocation list for the CA, and this list is basically a list of certifi- own CA, put the name/address of that CA in the browser or
cate serial numbers. If the certificate you are checking is in the system’s list of trusted root CAs and then it becomes as trusted
list then it’s revoked. Don’t trust it. Users browsing the site (in as any from a real CA company. Self-signed certificates are not
Internet Explorer) will see a message like this: vouched for by anyone.

CRLs are simple, but there’s a problem with them: over time
they can get big, especially for a large CA. They can be cached,
but then the CRL check may be out of date. So a protocol
named OCSP (online certificate status protocol) was developed
to let programs check certificates one at a time. OCSP is the
 
preferred method now. The vendors of all the major web browsers know that self-
signed certificates are trouble and they issue dire-looking
Not all CAs support OCSP. As with CRL, the certificate will warnings when one is encountered.
contain a field with the address of the OCSP server if the CA
supports OCSP. Certificate Management
Managing large numbers of certificates in different roles can be
Self-Signed Certificates a difficult task, and if it’s not done in an organized fashion it’s an
It’s not uncommon to find self-signed certificates both on the invitation to trouble.
Internet and internally in corporations. These are certificates
which have not been issued by a certificate authority, either Without a system for certificate management you are likely to
internal or external, but generated statically by any of a number find individuals tracking certificates on their own using a spread-
of available free tools. sheet or text file. This is how companies get surprised by expir-
ing certificates, and if the employee managing the certificates
Anyone can make them and their expiration date may be set leaves, the records could end up lost.
decades in the future, so they may seem like a good deal. But,
as with most things, you get what you pay for with digital Good certificate authorities have online management tools for
certificates. Self-signed certificates don’t prove a lot about the their certificates, such as VeriSign Managed PKI for SSL.
site they’re protecting. There are also third party management packages which track
both externally-granted certificates and those from internal CAs.
A self-signed certificate will allow software to encrypt data and

10
 Best Practices and Applications of TLS/SSL

Conclusions Additional Reading

TLS, widely known as SSL, is the standard for secure application Oppliger, Rolf. SSL and TLS: Theory and Practice (Infor-
network communications both within the enterprise and across mation Security and Privacy (2009). Artech House Publish-
the Internet. TLS can help secure your applications by strength- ers, ISBN 1596934476
ening authentication, encrypting data communications, and
ensuring integrity of data in transit. Rescorla, Eric SSL and TLS: Designing and Building
Secure Systems (2000). Addison-Wesley Professional.
TLS is a flexible technology that adapts well to numerous ISBN 0201615983
situations from web server access to server-server
communications to virtual private networking. Industry has picked VeriSign SSL Resources - http://www.verisign.com/ssl/ssl-
up on this and implemented it widely. It’s not always plug and information-center/ssl-resources/index.html
play, but it’s ubiquitous enough that expertise is fairly common.

Mozilla Developer Center - Introduction to Public-Key

Finally, in many cases the capabilities of TLS are enhanced by Cryptography - https://developer.mozilla.org/en/Introduc-
certificates from a trusted certificate authority and in some, a tion_to_Public-Key _Cryptography
trusted CA is necessary for TLS/SSL to make sense.

The IETF TLS Working Group - http://datatracker.ietf.org/

wg/tls/charter/

Microsoft - How to Set Up SSL on IIS7 - http://learn.iis.net/

page.aspx/144/how-to-set-up-ssl-on-iis-7/

Microsoft - SSL Capacity Planning - http://technet.micro-

soft.com/en-us/library/cc302551.aspx

TLS and SSL – What’s the Difference? - http://luxsci.com/

blog/ssl-versus-tls-whats-the-difference.html

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and the Checkmark Logo are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign and other related marks are the trademarks or registered trademarks of VeriSign, Inc.
or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. 11