EnCirca's SSL and HSTS


Getting your domain protected means purchasing and installing an SSL Certificate. Additional security can be added by enabling HSTS protection.


1. Purchase an SSL Certificate


To get started, you need to decide what type of SSL Certificate is right for your business.

EnCirca recommends Extended Validation Certificates. EV Certificates are superior because:

  • the validation is more extensive
  • the customer will see that extra security in the form of a "green bar" that tells them the site is secure

In order to fully meet your needs, we also offer the following different types of certificates:

  • Standard SSL Certificates - require the certificate issuer to independently verify the information concerning the applicant's business.
  • Extended Validated (EV) Certificates - the applicant's business credentials are validated more extensively to help ensure that the applicant isn't a phisher, spoofer, or other type of online criminal.
  • Wildcard Certificates - protect multiple options of the same base domain (i.e. www.sample.bank and directory.sample.bank)
  • SAN Certificates - protect multiple, different domains (i.e. www.sample.bank and sample.com)


Once you've chosen and paid for your certificate, you need to be validated by the SSL Company.


2. Validate Your Information

You need to prove that the domain is yours and that you are a legitimate business. There are 2 steps to this process.

First, Obtain a CSR for your Domain
A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. You may need to request this from your hosting service. For more information, see an overview here: http://esupport.trendmicro.com/solution/en-US/1097548.aspx


Then, Validate your SSL Certificate

  1. Login to ssl.encirca.com. On the left-hand side, you should see a list of your orders.
  2. Click on the "Generate Cert Now" button. You will be redirected to the SSL vendor's site, where you can enter information, including:
    • csr document
    • domain name
    • whois contact email
  3. Once your information is entered, you will receive a confirmation. You may also receive a validation email or phone call from the SSL certificate vendor (ie Geotrust or Symantec)

3. Install your SSL Certificate

After the verification process is completed, you should receive your SSL Certificate by email. This cert should be given to your hosting provider to install and check. You may also be given a logo to place on your site to verify its security.


Please note: Any additional customization of your hosting package will be an additional cost. Please contact support@encirca.com for more information.

 

 

HSTS Explained

HTTP Strict Transport Security forces browsers to make secure HTTPS connections with websites.


What is HSTS?

HTTP Strict Transport Security is a web security policy sent via header, that forces browsers to make secure HTTPS connections when they visit a specified website. This prevents cookie hijacking and protocol downgrade attacks. This is accomplished by setting a Strict-Transport-Security parameter that forces all connections to be made securely and disregards and scripts that attempt to load assets over unsecure HTTP. The header sets a period of time that the paramater applies for.


What is the HSTS Preload list?

The HSTS Preload list a set of pre-loaded websites that employ HSTS. This effectively closes the window for a first connection protocol downgrade or cookie hijacking. When a web browser arrives at a website on the HSTS preload list for the first time it already knows to only make secure connections.

The only problem with the HSTS preload list is that it can take a while to get on. You're at the mercy of the browsers as to when they update before you'll be included on the list itself. With some browsers that's nearly on a monthy basis - so the wait will only be a few weeks - but for others, it can be months. That's why Google's decision to register all of its TLDs on the list is so powerful. Now any website with those TLDs - that is secured with an SSL certificate - is already on the list by default.

Look for plenty of other domain registrars to follow suit in the coming months.

Should I implement HSTS on my website?
Yes. We definitely recommend employing HSTS. Even with an SSL certificate, there are still ways to exploit a site. Especially one that uses 301 redirects to send traffic to the HTTPS versions of its original HTTP pages. Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. There's still a way to get in, you just have to be a little more sophisticated to find it.

So yes, we recommend implementing HSTS. Not only HSTS, but we recommend writing the header with the "includeSubDomains" and "preload" prompts included as well.

Here is an example of a good HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
What to consider before implementing HSTS
There are a few things worth noting about HSTS before you go ahead and add the appropriate header:
  • You must have an SSL certificate installed on your website already
  • If you have sub-domains you will need to use a wildcard to protect them
  • You must use 301 redirects to reroute all HTTP pages to HTTPS ones
  • Google says best practice is to set a max age of two years
  • SubDomain and preload headers must be included
  • Important Note: Just adding "preload" will not get you on the HSTS preload list. You will still need to follow up yourself by going here.