SSL and HTTPS for webpages 101

You do not need to know all the cryptography to setup secure page. But a certificate alone does not encrypt your traffic. You would need 3 things for all this to work.

1. Secure protocol

It is TLS. Mainly TLS v 1.2 or 1.3 now. Your browser would establish connection to server over this protocol. I would suggest to make this a first step to enable your server accept https connection over port 443 (default). In Apache enable SSLEngine and configure virtual host to listen on port 443.

Traffic is ready to go via https protocol but there might be weak ciphers enabled and no certificate.

2. Configure cipher settings

At the very least must disable weak ciphers such as RC4, MD5 etc. Enable onyl strong ciphersuites. I found this interesting tool on SO Mozilla SSL Configuration Generator

Modern browsers will not even allow to view webpage if no modern secure ciphers are enabled.

3. Certificate

Without certificate data will not pass over TLS protocol and your configured ciphersuites. You can either use self-signed cert or request one for free from Letsencrypt. Or even buy from any SSL certs provider.

Certificate and a key are stored on your web server in the form of files (a simple scenario). Certificate can be signed by trusted CA, and browsers know about them, that way your browser will trust them and will not show any warnings. Using link in step 2, see where to put your certificates to enable them in your vhost config.

Testing

You must absolutely test and re-test your webpages. This way you will ensure your website does not have insecure configuration and up to current security standards. Below links to popular SSL Labs, and other tools.

TLDR Conclusion

To secure your webpage with HTTPS you must enable TLS on webserver, configure secure ciphers and install SSL certificate.

Further read

Date: 9 Aug 2018

SIEM solution and PCI scope. Why scoping environment is important

SIEM stands for Security Information and Event Management. Log management and notifications is a part of PCI DSS requirements and not optional in case of SAQ D. SIEM would gather user (staff) activity from computers, servers and network. Logs can be used in event of breach to rebuild a picture what was happening on the network.

An example: someone can install a virus on your network on purpose to steal data. With SIEM it is possible to narrow down who has done it or more like whose credentials were used for that.

SIEM integration is quite sophisticated and requires a lot of time at the beginning. It is not type of “setup and forget”, a continuous maintenance and daily monitoring+review would be needed.

Different vendors have various licensing models: either per number of computers or amount of activity on the network. There are also subscription model or perpetual licence.

The more computers you have on your network the more activity will be logged. However it is possible to minimize this: computers having access to your CDE can be moved into a separate network which would be called “PCI environment” (or CDE). Computers (or staff) who do not need to have access to the system which holds card data, they can be considered outside of scope. The process is called: segmentation.

Reducing the scope, or if put this different way — having less computers with access to your business system, would mean:

  • Lower SIEM solution cost
  • Less activity logged which means less to review daily, less alerts and easier management
  • Lower risk of breach

Proper scoping of environment would not only cost cheaper, but would also involve less maintenance and reduce the risk for your business.

Date: 23 May 2016