How do I get A+ rating in SSLLabs?

Security is a basic requirement of any project in the IT industry. Rapid development of new technologies, strict compliance standards, and evolving threats from hackers make it essential to keep your business’ security tools up-to-date and as strong as possible.

Namecheap is proud to provide its customers with the most state-of-the-art online security solutions available. It’s our job to make sure all our customers are well-protected and secure at every level.

This article will guide you through the main points of high-level security, as well as show you how to enhance the security of your IT business, thereby building customer confidence and loyalty.

If you haven’t already, we recommend first visiting our Knowledgebase to learn more about SSLs: what they’re used for and how to install one on a server.

In our review, we will use SSLLabs as a testing project of Qualys, a company that provides strategic security solutions. We will use their A+ indicator as the industry high standard in SSL security and will try to meet its requirements. The SSLLabs checker covers two substantial parts of the investigation: Authentication, which reflects details about installed SSL certificate and additional certificates provided by a server, and Configuration, which shows server settings for secure negotiation used in client-server interaction.

Authentication

The first block of Authentication is called Server Key and Certificate #1. Its main points are certificate validity, key type and size used to generate an SSL (our system accepts both RSA and ECC keys), signature algorithm, and whether or not an SSL certificate is trusted.

SSL certificates encrypt data being exchanged between server and browser with the help of hash function. SHA-1 was the most actively used hash function.

According to the Certificate Authority and Browser Forum, which develops and establishes requirements for Certificate Authorities to issue publicly trusted certificates, SHA-1 signature algorithm is being phased out as of November 2014. This makes it necessary for certificates to be issued in SHA-2 so that all browsers show no warnings. Our system issues certificates in SHA-2 automatically. For those customers who issued their SSLs before the effective date of transition, reissuance is needed to get updated and valid certificates. You can check which hashing algorithm the certificate is issued in with the help of this tool.

ssllabs1

Another important point (highlighted in green in the screenshot above) is whether the server returned certificates issued by Certificate Authority during the test. Intermediate CA certificates are used to link the domain certificate to the trusted Certificate Authority. They should also be installed on the server for the certificate to be recognized as trusted in all browsers.

Two other blocks of Authentication show us these Intermediate certificates and the paths to them constructed during client-server interaction. A root certificate is self-signed, meaning it is not signed by another entity that has been given authority. The root certificate gets authority through the root certificate program managed by the operating system or browser developer. All root certificates issued by CAs are kept in the trust stores of browsers, so there is no need to install a root SSL on the server.

It should be noted that if a root SSL is installed and sent by a server, it will be shown with this message:

ssllabs2

SSLLabs reflects it as ‘chain issues’:

ssllabs3

This is not an error. It increases network latency during the SSL handshake and is not considered an issue according to RFC 5246.

SSLLabs also checks if the intermediate certificates are valid using several key points: expiration date, key, issuer, and signature algorithm. Since the signature on a root certificate is not verified (as the software trusts the root certificate public key directly), there is nothing to worry about if a root SSL is issued in SHA-1. A self-signed root SSL is marked with a green ‘In trust store’ phrase, both in ‘Additional certificates’ and ‘Certification Paths’ blocks:

ssllabs4

So, in order to proceed successfully with Authentication, a valid SSL certificate with the right key size (at least 2048-bit for RSA and 256-bit for ECDSA) and a SHA-2 hashing algorithm issued by a trusted Certificate Authority should be used. A complete CA bundle, including all intermediate certificates, must be installed too.

Configuration

This part includes the following segments: Protocols used by a server to establish secure connection; available Cipher Suites, from which a browser or client software can select at the moment of session setup; SSL Handshake Simulation which shows how the connection would occur with different software and which protocol version, ciphers, and encryption level would be used; Miscellaneous, which includes general information; and one of the most important blocks – Protocol Details, in which we can see security flaws that should be fixed on server side.

Protocols

There are five available protocol versions for SSL connection: SSL 2, SSL 3, TLS 1.0, TLS 1.1, and TLS 1.2. Currently, TLS 1.2 is the latest version and is considered the most secure Transport Layer Security (TLS) protocol, allowing client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering or message forgery. [RFC 5246].

SSLLabs highlights TLS 1.2 with green:

ssllabs5

Namecheap shared hosting accounts are configured to accept all connections using TLS versions only. It is better to have all TLS versions enabled in order to prevent compatibility issues with legacy software/apps. Enabling SSLv3 will allow customers with IE 6 to visit your website over HTTPS but will make a server vulnerable to POODLE attack.

Cipher suites are displayed in server-preferred order from the strongest to weakest that are available in client-server secure interaction. Let’s take a look what these strings consist of:

get_a_rating_07

Namecheap offers our customers only strong cipher suites with all our fully-managed servers. Below is the example of the cipher suite for shared and reseller hosting plans:

ssllabs7

Customers with self-managed VPS and dedicated servers should manage cipher suites themselves.

SSL handshake simulation is being carried out successfully with most client software except for clients which do not support Server Name Indication (SNI). Since all Namecheap servers have SNI enabled by default, SSL connection with Android 2.3.7, Internet Explorer 6 and 8 on Windows XP, and Java 6u45 will fail unless the user ordered a dedicated IP address.

The aforementioned versions of Internet Explorer and OpenSSL package 0.9.8y do not support Forward Secrecy, this should be adjusted on server as well. Visit our Knowledgebase to learn more about Perfect Forward Secrecy and how to check whether a server provides it. For customers with third-party hosting servers, instructions for deploying FS can be found here and here. Servers based in Namecheap datacenters have the FS feature enabled with modern versions of browsers on most of them.

ssllabs8

Finally, we come to Protocol Details, perhaps the most interesting and important segment. Customers who use Namecheap’s fully-managed hosting plans don’t have to worry about server configurations since our Technical Team keeps them up-to-date, tracks all announced weaknesses, and immediately deploys fixes for them. An ‘A’ grade should be shown by default when a valid SSL certificate with all Intermediate CA certificates is installed.

The coveted “A+” grade on SSLLabs can be achieved by enabling of HSTS policy on a server. HSTS technique is explained here. In a nutshell, HSTS is a mechanism enabling web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections as indicated in RFC 6797.

Accordingly, a server can send a special header in HTTPS request to client software asking to use forced secure connection. Once HSTS policy is enabled, you will see that much-desired message:

ssllabs9

TLS only protocol versions, modern cipher suites, and mitigations for all known SSL vulnerabilities must be applied carefully to pass Configuration block checking successfully.

So, let’s summarize what we’ve learned: Since Namecheap’s fully-managed hosting servers have all the necessary settings pre-configured, all our customers need to do to get an ‘A+’ grade on SSLLabs is to install a valid SSL certificate with CA bundle and configure HSTS in .htaccess.

Several key points still should be mentioned for customers with third-party hosting servers, however. In order to set good server configuration, you’ll need to do a few things:

  • Disable both SSLv2 and SSLv3 which are vulnerable to Ciphersuite rollback attack and POODLE.
  • Disable TLS 1.0 compression which is vulnerable to CRIME.
  • Disable weak ciphers (DES and especially RC4), prefer modern ciphers (AES), modern modes of operation (GCM) and protocols (TLS 1.2).
  • Disable Export cipher suites vulnerable to FREAK attack.
  • Deploy Elliptic-Curve Diffie-Hellman key exchange mechanism and use strong DH group which allow preventing new Logjam attack.
  • That’s all! We wish you good luck and security in your business.

Updated
Viewed
34560 times

Need help? We're always here for you.

notmyip