Why do I need to harden my SSL/TLS configuration?

Default SSL/TLS configurations in most servers are not secure enough. By default, most servers still support outdated and vulnerable protocol versions. This could lead to attacks against such servers. Therefore, you need to manually configure your every server, not rely on defaults. Learn more about TLS and SSL .

How do I harden my TLS configuration?

To harden your SSL/TLS configuration, you must do two things. First of all, you must turn off support for the old and vulnerable SSL protocol completely as well as for old and vulnerable versions of the newer TLS protocol. Second of all, you must turn off insecure cipher suites and establish a priority of cipher suites based on their security. Read about potential attacks against SSL/TLS .

Which SSL/TLS versions should I support?

You should not support the SSL protocol at all. You should also not support TLS 1.0 or TLS 1.1. Therefore, your configuration should only support TLS 1.2 and up. Some server versions may not support TLS 1.3 yet, therefore TLS 1.2 must be the cornerstone of your configuration. This protocol version is supported by all current browser versions and quite a few outdated versions, therefore, you should not run across compatibility problems. Find out more about the history of SSL and TLS .

What is the best cipher suite?

A cipher suite consists of a key exchange algorithm, an authentication algorithm, a bulk encryption algorithm, and a message authentication algorithm. Currently, the most secure and most recommended combination of these four is: Elliptic Curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), AES 256 in Galois Counter Mode (AES256-GCM), and SHA384. See the full list of ciphers supported by OpenSSL .

Author Archives Ian Muscat

THE AUTHOR

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.

Recommendations for TLS/SSL Cipher Hardening

Web Security Zone | April 10, 2019 by Ian Muscat

Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols. They were designed to secure the transfer of data between the client and the server through authentication, encryption, and integrity protection. Note: At the time of writing of this article,…

How to Prevent SQL Injection Vulnerabilities in PHP Applications

Web Security Zone | March 27, 2019 by Ian Muscat

SQL Injection (SQLi) is a type of injection attack. An attacker can use it to make a web application process and execute injected SQL statements as part of an existing SQL query. This article assumes that you have a basic understanding of SQL Injection attacks…

Out-of-band XML External Entity (OOB-XXE)

Web Security Zone | March 25, 2019 by Ian Muscat

As with many types of attacks, you can divide XML External Entity attacks (XXE attacks) into two types: in-band and out-of-band. In-band XXE attacks are more common and let the attacker receive an immediate response to the XXE payload. In the case of out-of-band XXE…

What Are XML External Entity (XXE) Attacks

Articles | March 24, 2019 by Ian Muscat

An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is a type of attack that abuses a widely available but rarely used feature of XML parsers. Using XXE, an attacker is able to cause Denial of Service (DoS) as well as access…

What is Local File Inclusion (LFI)?

Web Security Zone | March 11, 2019 by Ian Muscat

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses…

DAST vs SAST: A Case for Dynamic Application Security Testing

Web Security Zone | March 6, 2019 by Ian Muscat

Dynamic Application Security Testing (DAST) is a black-box security testing methodology in which an application is tested from the outside. A tester using DAST examines an application when it is running and tries to hack it just like an attacker would. On the other end…

Cross-site Flashing (XSF) WordPress Vulnerability, Unpatched and Exploitable

Web Security Zone | October 24, 2017 by Ian Muscat

WordPress, the content management system powering north of 28% of websites on the Internet, is certainly no stranger to providing timely security patches to its hundreds of millions of users when security researchers report them. This time however, things took a slightly different turn —…

Acunetix Security Hardening Guide

Product Articles | October 10, 2017 by Ian Muscat

The following guide provides a series of recommendations for improving the security (“hardening”) of your Acunetix On-Premises installation. 1. Update to the current version It is recommended that you always run the latest version of Acunetix. Additionally, Acunetix periodically publishes updates, which may include fixes…

The difference between Vulnerability Assessment and Penetration Testing

Web Security Zone | August 17, 2017 by Ian Muscat

Many information security professionals are familiar with the terms ”‘vulnerability assessment” and “penetration testing” (“pentest” for short). Unfortunately, in many cases, these two terms are incorrectly used interchangeably. This post aims to clarify differences between vulnerability assessment and penetration testing, demonstrate that both are integral…

Take action and discover your vulnerabilities