Making the Grade: Achieve SSL Labs A+ Grade with Imperva WAF

We all woke up to a new reality early last year. HTTPS adoption has reached the tipping point, meaning that more than half of web traffic is encrypted.

The benefits of encrypting your traffic are obvious, right? It’s essentially about you securing data being transmitted by authenticating web servers and clients (web browsers), and then using it to encrypt messages between the authenticated parties. Yet, some important questions are left unanswered:

  • How can you tell if your traffic is adequately encrypted?
  • What can you do to make your HTTPS configuration even tighter?
  • And is just using SSL enough?

In this blog post, I’ll talk about how to elevate your web server SSL/TLS implementation, why it’s important, and how you can leverage our version 13.0 release of Imperva SecureSphere Web Application Firewall (WAF) to achieve the desired A+ grade with SSL Labs.

Lifting Your SSL Posture

Properly deploying HTTPS can be tedious, and sometimes frightening, even for experienced security teams, but have no fear…

Fortunately, there are many groups that can provide guidelines and tools that can help assess the level of security in your SSL/TLS deployment. The OWASP Foundation, for example, holds and maintains a transport layer protection cheat sheet, which provides some best practice guidelines for implementing HTTPS.

Not only that, recently, numerous free diagnostic tools have emerged that allow you to conduct an analysis of your SSL web server configuration and performance. Many of these tools provide you basic information and recommendations on how to enhance your HTTPS configuration. Others will go under the hood and provide a thorough analysis of your HTTPS configuration, including an SSL vulnerability status report. But without a doubt, the tool that has become the industry standard for evaluating SSL implementation is SSL Labs by Qualys. I believe if you tried it yourself you would probably agree it’s the most comprehensive and deep analysis tool out there. Let’s examine how it works.

How Does SSL Labs Approach Web Server Testing?

SSL Labs provides a peek into how they grade websites in their SSL Server Rating Guide.

In a nutshell, SSL Labs looks at two main things:

  • Certificate – verifies that it is valid and trusted
  • Configuration – inspects server configuration in three categories:
    1. Protocol support – checks available SSL protocol versions out of the five: SSL 2, SSL 3, TLS 1.0, TLS 1.1, and TLS 1.2
    2. Key exchange support – checks key exchange parameters’ strengths
    3. Cipher support – checks supported cipher suites, and ciphers are displayed in server-preferred order from the strongest to weakest

SSL Labs then combines the category scores into an overall score and converts it into a letter grade.

Finally, SSL Labs examines other aspects of server configuration that cannot be expressed via numerical scoring and checks if you have other features, like TLS_FALLBACK_SCSV, OCSP stapling and HSTS supported. Note that without, for example, you would get your score downgraded and never be able to get the desired A+ score.

Numerical ScoreGrade
score >= 80A
score >= 65B
score >= 50C
score >= 35D
score >= 20E
score < 20F

Table 1. SSL Labs scoring-to-letter grade translation

SSL Labs – Is It Only About Security?

Working as a product manager for Imperva, I’ve had so many customer and security researcher discussions around this tool and its importance that I’ve lost count. One interesting thing I’ve noticed over time is that while many initially questioned the way SSL Labs conducted their tests and their effectiveness, nowadays the tool has become the defacto standard. Why is that? Let me share what I have learned.

It seems at the beginning, security administrators looked at the tool and its grading only as a way to know how to secure their SSL/TLS implementation, and how to avoid being compromised or vulnerable to SSL/TLS attacks, such as Heartbleed, POODLE, Freak and others. From their perspective, it was all about security and not being subject to security breaches, which could later lead to direct financial losses. But there seems to be more than that now.

Organizations have started to realize that their website grade and SSL/TLS implementation effectiveness has become publicly available, and an increasing number of users are using SSL Labs to get some indication of a website’s security. This is a game changer. A bad grade may have a negative influence on the website’s reputation in the eyes of users, which may eventually lead to indirect losses.

Just think about it, what would you do if you found out that one of the e-commerce websites that you usually shop on has a very negative SSL Labs grade? I can only assume it would make you think twice before you order your next Kindle or drone.

Figure 1: The dreaded F grade by SSL Labs that organizations are trying to avoid

Figure 1: The dreaded F grade by SSL Labs that organizations are trying to avoid

Using a WAF to Score SSL Labs A+ Grade

Now that we have discussed SSL Labs, its importance, and understood how it works, I’d like to suggest a shortcut to get to the coveted A+ grade, and that’s with the use of a web application firewall (WAF).

With a WAF, the way to achieve an SSL Labs A+ grade is much shorter. It’s easier to do since it requires no changes in the backend servers and removes the SSL configuration complexity and errors by having a single pane of glass for SSL configuration management.

Deploying a WAF is extremely useful, especially if you are looking to:

  • Elevate your application security – in case you already managed to score well in SSL Labs and you are looking to expand your application security without downgrading your SSL Labs grade
  • Elevate your SSL Labs grade – in case your web server score is not optimal, every standard WAF should be able to help improve your grade

How to Use SecureSphere WAF to Get SSL Labs A+ Grade

With our new version 13.0 release for SecureSphere WAF, achieving a perfect A+ grade with SSL Labs is a straightforward process. We’ve done all the work with an out-of-the-box configuration template that removes the hurdle for the user.

One thing to note is that you will have to be deployed in a reverse proxy mode, either transparent reverse proxy or kernel reverse proxy. Let’s follow these two simple steps:

1) Review the out of the box SSL setting

In the Main workspace, select Setup > Global Object. In the Scope Selection pane, select SSL Settings and choose the “SSL Labs A+ RP Server Side SSL Settings” template to review the configuration and ensure it is acceptable to you.

Figure 2: In SecureSphere WAF, set custom SSL setting or use the out-of-the-box settings to get a SSL Labs A+ grade

Figure 2: In SecureSphere WAF, set custom SSL setting or use the out-of-the-box settings to get an SSL Labs A+ grade

2) Apply the setting to your application

In the Main workspace, select Setup > Sites. In the Sites Tree pane, select the service you want to protect. In the Reverse Proxy tab, select the “SSL Labs A+ RP Server Side SSL Settings” in the reverse proxy rule (KRP or TRP) and click the Save button.

Figure 3: Apply the settings in SecureSphere WAF and you’re done!

Figure 3: Apply the settings in SecureSphere WAF and you’re done!

That’s it! Congratulations!

An A+ grade should be shown by default when a valid SSL certificate with all intermediate CA certificates are installed and HSTS in enabled in the web server or in SecureSphere.

Figure 4: A SSL Labs A+ Grade with SecureSphere WAF

Figure 4: A SSL Labs A+ Grade with SecureSphere WAF

Note: SSL Labs periodically changes their grading criteria and methodology based on changes in technology so the information provided here applies as of the publish date of this post. We continually monitor and track SSL Labs changes with the goal of updating our product to maintain the A+ grade.

Is SSL Enough?

No. Any security expert will tell you that SSL alone is not enough, as it only deals with one aspect of security. Since SSL/TLS only ensures a secure connection there is no guarantee that the application is actually safe from any type of attack. Starting from technical attacks such as SQL injections and cross-site scripting to business logic attacks, such as site scraping and account takeover.

With Imperva SecureSphere Web Application Firewall, organizations can secure web applications no matter if they are deployed in the cloud or on prem. This should help to prevent breaches, along with their resulting exposure, cost and brand damage.

Learn more about Imperva SecureSphere Web Application Firewall and upgrade to version 13.0 today.

This is a Security Bloggers Network syndicated blog post authored by Ido Mantsur. Read the original post at: Blog | Imperva