SSL and TLS Deployment Best Practices

### 1.5 Use Strong Certificate Signature Algorithms Certificate security depends *(1)* on the strength of the private key that was used to sign the certificate and *(2)* the strength of the hashing function used in the signature. Until recently, most certificates relied on the SHA1 hashing function, which is now considered insecure. As a result, we're currently in transition to SHA256. As of January 2016, you shouldn't be able to get a SHA1 certificate from a public CA. Leaf and intermediate certificates having SHA1 hashing signature are now considered insecure by browser. … An invalid certificate chain effectively renders the server certificate invalid and results in browser warnings. In practice, this problem is sometimes difficult to diagnose because some browsers can reconstruct incomplete chains and some can’t. All browsers tend to cache and reuse intermediate certificates. … - SSL v2 is insecure and must not be used. This protocol version is so bad that it can be used to attack RSA keys and sites with the same name even if they are on an entirely different servers (the DROWN attack). - SSL v3 is insecure when used with HTTP (the SSLv3 POODLE attack) and weak when used with other protocols. It’s also obsolete and shouldn’t be used. … ### 4.1 Encrypt Everything The fact that encryption is optional is probably one of the biggest security problems today. We see the following problems: - No TLS on sites that need it - Sites that have TLS but that do not enforce it - Sites that mix TLS and non-TLS content, sometimes even within the same page - Sites with programming errors that subvert TLS