|
|
||||
Most sites that use SSL/TLS are not as secure as you may believe - especially if you were born before 1997.
The main point here - we worry about this stuff so that you don't have to.
With a cryptographic attack, 56-bit DES security can on average be broken on a single PS3 (using 6 SPUs) in about 1.75 years [1], or with a network of them in a fraction of that time [2]. 40-bit SSL is much more vulnerable. Additionally, many hosts still provide SSLv2/SSLv3, NULL and ANON ciphers (as of Nov 2013). When your website allows these lower quality ciphers, a malicious 3rd party is able to intercept your traffic and modify it in-transit much more easily, or even create a usable version of your Private Key and impersonate your website while still showing the SSL "lock" that we have all come to trust over the last 18 years.
As of 2019, SSLv3, TLSv1.0 and TLSv1.1 are deprecated and TLSv1.2 is supported by all modern browsers. Our recommendation is to use TLSv1.3.
We have spent a lot of time working with SSL and enjoy investigating new ciphers, encryption protocols and attacks. We actively investigate new types of attack and discuss mitigation techniques with leaders in the cryptography field. We have also worked on patches for OpenJDK to assist with protection against some of the current attack surfaces present in Java (did we already mention we are Java developers ourselves?)
You can leverage our world-class and up-to-date TLS security policies and patches automatically by simply adding an SSL certificate to your Metawerx account through our control panel, which will enable all the current best-practices we use ourselves. We support all certificates including EV (Extended Validation) and WildCard (*.yourdomain.com) certificates.
We call this Enterprise Crypto - but sadly most Enterprises aren't up to date, including most online banking sites, as they simply enable SSL/TLS and believe their task is complete. Even popular browsers and Certificate Authorities are behind in their implementation of the latest protocols.
For more information and to check other hosts and sites, please visit the Qualys SSL Server Test. We achieve the higher level test score which is usable on common browsers and were the first in the world to score 100% [a]. A score of A or higher is our current recommendation for a public-facing website such as secure.metawerx.net and is compatible with Internet Explorer and mobile devices, while enabling mitigation of the BEAST attack. The CRIME attack is automatically mitigated with all server-side versions of Java. We use the "A+" setting or higher for our control panels and customer tools. Anything below A needs to be addressed and anything scoring a C or less is at much greater risk. Another standard guide for SSL/TLS testing is OWASP-CM-001 in the Open Web Application Security Project (OWASP). Take some time to check out your favourite sites and your previous hosts.
Our competitors review this page periodically as a guide to setting up their SSL security - we see them in our logs. You can check their progress or current status on SSLLabs using the above link.
[a] We were the first in the world to achieve a score of 100, on our test servers in April 2012 when ssllabs used a numerical rating. Our score appeared publicly (before any other hosts) in October 2012 when the SSLLabs test was upgraded to support TLS1.2-only servers. On 1-Nov-2012 there were still less than 5 servers in the world to achieve a rating of 100. Outside the test, we use the highest "usable" level of TLS security for our customer tools according to browser capabilities. Unfortunately, at the time, using the highest level of security prevented most browsers from connecting to the services as they are often well behind the most recent recommended specifications. Therefore we continued to support TLSv1.0 on our own site until the browsers caught up.
| Enterprise Cryptographic Services / Strong SSL | All Plans |
| Strong 256 bit SSL - Weak(56+)/Medium(128+)/Strong(256) cipher selection available for ancient clients - Medium(128+) recommended for Internet Explorer and older mobile device compatibility - High(256) recommended for all modern clients |
 |
| Strong 4096 bit Private Key by default - Industry standard is 1024 or 2048 |
|
| TLS 1.2 support - Java 7 or above |
|
| TLS 1.3 support - Java 11 or above |
|
| PCI Compliant SSL/TLS - PCI requires 128 bit ciphers or above (our default setting) |
|
| FIPS-ready SSL/TLS - FIPS requires 168 bit ciphers or above - We can ensure your site uses only FIPS 140 compliant ciphers or higher |
|
| SSLv2, SSLv3 and Weak Ciphers Blocked - Disabled by default for higher security, but available on request for export-cipher-only countries |
|
| Unlimited Strength Crypto Extensions | |
| BouncyCastle Crypto Extensions | |
| Elliptic Curve DHE Support (Java7+) - Faster SSL on newer browsers and mobile devices - Perfect-Forward-Secrecy (Diffie Helman ECDH 571 bits, or 15360 bits RSA on Java 7 and above - ref: ssllabs.com) - Advanced protection against recording of transmissions performed now for which a compromise is attempted in the future - (read more ...) |
|
| GCM Cipher Support (Java8+) - Galois/Counter Mode Ciphers are the new alternative to cipher block chaining (CBC) which is known to be vulnerable to oracle attacks such as BEAST - GCM ciphers are approved by NIST (as at Oct-2013) - CBC ciphers are becoming deprecated in favor of ChaCha/POLY1305 and GCM - (read RFC5288 for specs) |
|
| BEAST, CRIME, LUCKY13, DROWN, POODLE, Zombie POODLE, GOLDENDOODLE protection as standard - BEAST attack protection via avoidance of CBC ciphers (90% of websites vulnerable in early 2013) - CRIME attack protection via disabling of SSL header compression - LUCKY13 attack protection via use of the latest BC libraries for Java - DROWN attack protection via use of the latest BC libraries for Java - POODLE attack protection via use of the latest BC libraries for Java - Zombie POODLE attack protection via use of the latest BC libraries for Java - GOLDENDOODLE attack protection via use of the latest BC libraries for Java |
|
