Web server encryption: Enterprise website encryption best practices

How might strong encryption be successfully employed within our Web server environment?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at [email protected].

Ask the expert!

Have questions about enterprise network security? Ask expert Mike Chapple! (All question submissions are anonymous.)

Web servers rely upon strong encryption to protect the data sent between users and the Web server.  In the absence of strong encryption, any such communications are vulnerable to eavesdropping and modification.  This threat could potentially undermine the confidentiality and integrity of financial transactions or other sensitive data that is exchanged with end users.

There are two steps to ensuring strong encryption is being used to protect Web communications. One requires the use of a secure cryptographic protocol, and the other requires that the selected protocol make use of strong cipher algorithms.  The cryptographic protocol describes how the Web user and server set-up communications and exchange encryption keys while the cipher algorithm specifies the mathematical operations used to encrypt and decrypt data.

There are two main cryptographic protocols in use on the Web today; the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). TLS is the successor to SSL and is, generally speaking, more secure and preferred to SSL.  However, many older Web browsers do not provide support for TLS, so Web servers used by the general public must also support the older SSL protocol.  When configuring the protocols used on a Web server, an organization should choose to support both TLS and SSL version 3.  Earlier versions of SSL have critical vulnerabilities and should not be used. 

To acquire the use of SSLv3 and TLS on a Microsoft IIS Web server, see this Microsoft Knowledge Base article.  For Apache servers, include the following directive in your httpd.conf file:

SSLProtocol -ALL +SSLv3 +TLSv1

Both SSL and TLS support a number of cipher algorithms.  It is equally important to configure the server to only use cipher algorithms considered secure by the cryptographic community.  For Microsoft IIS configuration instructions, see this Microsoft Knowledge Base article.  On Apache servers, use this configuration directive:

SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

With the combination of these two website encryption controls, you can ensure strong Web server encryption is in place to protect your Web infrastructure.

This was first published in December 2011

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top