Business Website Hosting

A Beginner’s Guide to TLS/SSL Certificates and Website Security

Raise your hand if the company that you work for has a website, or you, yourself, run a website. That’s a lot of hands!

What Is TLS/SSL?

We often talk as if Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are the same thing, however, their more like successor and predecessor. Both are cryptographic protocols that are designed for secure communications. The last version of the SSL protocol was 3.0 and was published by the IETF in 1996. A major vulnerability, given the name POODLE, was disclosed in 2014, which essentially brought an end to SSL.

TLS 1.0 was defined as an upgrade to SSL in a request for comments (RFC) in 1999. The protocols aren’t substantially different, and the name change had more to do with the fact that the IETF wanted to ensure that it was apparent that this was a fork of the protocol.

Regardless of whether we say SSL Certificates or TLS Certificates, we’re almost certainly using the TLS protocol.

Website TLS/SSL Certificates

A TLS/SSL Certificate is a pair of files where one file contains a private key that only the server knows, and a public key that is used to create a trusted relationship. A process known as a “handshake” occurs when you visit a website that uses an SSL certificate. This handshake can be a little confusing, but the below diagram does a pretty good job.

Source: https://www.entrust.com/resources/certificate-solutions/learn/how-does-ssl-work

How TLS/SSL Protects Your Website

The purpose of a TLS/SSL Certificate is to create a trusted relationship between your computer’s web browser, and the server hosting the website. Once this relationship is created, any communication between these two points, your browser and the website server, is encrypted using the private key that only the server has knowledge of. This is how TLS/SSL protects a website visitor’s financial information, such as credit card number, when they enter it into a form on your website.

Along with Encryption, the TLS/SSL protocol are ensuring a form of Authentication and Integrity. Once the relationship is established you can be sure that the communications being exchanged aren’t being manipulated and are being sent and received by the same two parties.

TLS/SSL Testing

Not all TLS/SSL Certificates are the same, and not all website servers implement these certificates in the same way. Implementing TLS/SSL incorrectly, or not configuring the web server with the appropriate settings, can lead to insecurities. Testing your TLS/SSL should be added to your annual checklist and can ensure that your TLS/SSL Certificates are in tip-top shape.

Here are some resources that you can use to easily test your websites.

  • SSL Labs by Qualys – One of our favourites; allows you to hide the results from their community boards for added privacy.
  • Mozilla Observatory – Choose to not show up in public results, and even not get scanned by third-party scanners. Observatory not only scans for TLS/SSL issues, but also for HTTP and SSH issues.
  • Wormly – Wormly gives you a simple TLS/SSL health check report.
  • CryptCheck – Something a little more technical; CryptCheck also runs tests on SSH, SMTP and XMPP.
  • SSL Checker – Visualize and verify the certificate chain.
  • TLS Version Check by Geekflare – Quickly check if your web server uses a deprecated version of TLS.
  • How’s My SSL? – They really mean, “TLS”. How’s My SSL gives you a simple report and rating on your TLS certificate. It also offers an API.
  • Digicert SSL Installation Diagnostics Tools – Diagnostics tool that also allows you to check for common vulnerabilities.
  • SSL Checker – SSL Shopper providers another tools for verifying your TLS/SSL certificate install.

Other Resources

The Mozilla wiki has a great resource that includes details on TLS cipher suites and other TLS configurations to help you improve web server security. I’d be remiss if I didn’t mention the Mozilla Developer Network (MDN) Web Docs which is rife with articles, references, and guides for better web development.

Privacy Policy Resources, Template Generators, and PIPEDA

Cameras

Did you know that, as a business, you may be required to abide by both provincial and federal privacy laws? Many provinces, such as Alberta, British Columbia, and Quebec have already introduced their own legislation for the collection, use, and disclosure of personal information that occurs while doing business in those provinces. For the rest of us, the Personal Information Protection and Electronic Documents Act (PIPEDA), probably applies.

PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of doing business. This information might include personally identifiable information (PII), such as names, telephone numbers, ethnicity, blood type, employee records, loan records, and even opinions, evaluations, and comments.

Is a Privacy Policy Important?

A privacy policy is a very important document if your website interacts with its visitors in any way shape or form. This includes not just contact forms, but also more indirect forms of interaction such as website analytics tracking.

As mentioned, a privacy policy is a simple document that is available on your website that outlines your organisation’s policies and procedures as they relate to the collection, use, storage and disclosure of personal information. A privacy policy is intended to advise the users of your website of the steps that your organisation takes in order to meet provincial or federal privacy regulations and outlines several key principles:

Although PIPEDA doesn’t include many details on what it considers, “against policy”, the Office of the Privacy Commissioner of Canada (OPC) has outlined several examples of what would be considered generally innappropriate.

  • Collecting, using or disclosing personal information in ways that are otherwise unlawful;
  • Profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
  • Collecting, using or disclosing personal information for purposes that are known or likely to cause significant harm to the individual;
  • Publishing personal information with the intent of charging people for its removal;
  • Requiring passwords to social media accounts for the purpose of employee screening; and
  • Conducting surveillance on an individual using their own device’s audio or video functions.

Source: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/

PIPEDA Resources

The OPC website is probably the single best resource as it relates to PIPEDA. We’ve included some of the more relevant links here.

Privacy Policy Generators

Without further ado, let’s take a look at how we can quickly and easily get a privacy policy setup for your website.

These tools were designed to take basic inputs and generate a complete privacy policy for your website. I’ve only include links to tools that offer a free tier or are completely free.

PHP 8.0 Now Available

Introducing PHP 8.0

We are happy to announce that PHP 8.0 is now generally available to all Rogue Security Business Website Hosting clients. PHP 8.0 is a major release within the PHP ecosystem and includes many optimizations, better syntax, and improved type safety.  As a major release, PHP 8.0 might require some modifications to your existing scripts. Please make sure that you review your existing website before moving to PHP 8.0. Make sure to utilize the various migration guides available on the PHP.net website.

You’ll find PHP 8.0 available directly from your Website Control Panel and can be defined by website. This means that if you have multiple websites on our platform; each one may use a different version of PHP. Simply login to the Rogue Security Hosting Control Panel, navigate to ‘Sites‘, select the website that you wish to change the PHP version for, scroll down to the dropdown for ‘PHP Version‘, and select the version of PHP that you wish to use for this particular website.

Dropdown menu for selecting PHP version.

PHP 7.3 and PHP 7.4 will continue to be available for all clients; PHP 7.4 is now the default version of PHP for all new clients. Existing clients will not have any changes made to the default version of PHP for their websites.

What Is “Security-Focused” Website Hosting?

Security-focused

The Internet has changed, and so has how the majority of us use it. According to Google there are 1,197,982,359 websites in the World as of January, 2021.

When the Internet was only made up of a few hundred thousand websites it was quite easy to get people to reach your website as you had a higher chance of being on that first page of the search engine page being used. As things grew, and when their were millions of websites around the world, search engines needed to become smarter. This led to Internet marketing and Search Engine Optimization (SEO) where individuals would learn the techniques that search engines use and then apply them to their websites to ensure that they “outranked” other websites.

Today, we have over 1 billion websites around the World, and the fact of the matter is that the people are getting to your website because they either already know it, or went looking specifically for it. Many Web Hosting companies still want to sell you “Website Marketing” services and super low-cost website hosting with unlimited everything.  Unfortunately, you aren’t using unlimited. In fact, you aren’t using even close to unlimited. A medium-sized eCommerce website might use around 8.5 GB of Transfer per month, given a 100 Kb page size and 1000 visits per month.

We let you drive traffic to your website in whatever way that you so choose, while we focus on keeping your website secure and available to your customers and clients. Our professional staff of Information Security professionals have over 15 years of experience in the Technology and Information Security industry, and following the guiding principles of Confidentiality, Integrity, and Availability (C.I.A.). We ensure the Confidentiality of your information, your website, and your clients and customers. We maintain the Integrity of your data in motion (transfer and delivery to your visitors) and at rest (storage). Finally, we make sure that the Availability of your website is their when you need it.

Your website is now an extension of your store front. How can we help?

PHP7.2 End of Life and the OWASP® ModSecurity Core Rule Set (CRS)

OWASP

On November 30th, PHP 7.2 went end of life (EOL). When end of life occurs the product becomes no longer supported and quickly can become a security issue when zero days are found and security patches are not delivered. None of Rogue Security customers currently uses this version of PHP so we’ve taken the needed step of uninstalling  PHP 7.2 from all of our website hosting servers; after validation we can confidently say that the change was successful.

You can always come back here to find the link to the list of Current PHP Supported Versions, and we’d recommend you also check out Migrating from PHP 7.2.x to PHP 7.3.x. PHP 8.0, the next major release, will be available at Rogue Security on December 18th, 2020.

Here is a complete list of modules that are no longer available.

Over the course of future posts we’ll introduce you to many different aspects of OWASP (Open Web Application Security Project). One of our principle website hosting security features in the OWASP® ModSecurity Core Rule Set (CRS) which is a set of generic attack detection rules for use with ModSecurity or other compatible web application firewalls. So what does this mean? Well, it means that you have the best protection against the top web application attacks known. Now, that’s impressive. Find out more at coreruleset.org.