Monday, April 28, 2014

HTTPS Best Practices

Using HTTP Over TLS (HTTPS or Hypertext Transfer Protocol Secure) helps users ensure that they are connecting to the correct web site and that their communications are protected from eavesdropping and tampering in transit. Using HTTPS for banking and e-commerce web sites is an obvious requirement, but HTTPS is also valuable for scientific cyberinfrastructure (CI), where users log in to access valuable scientific resources and rely on the integrity of their research data. Always-On-SSL describes the recommended best practice of enabling HTTPS across an entire website, rather than only specific areas of the site, to protect the user's entire web session.

The first step to enable HTTPS on a web site is to obtain a certificate for the site. CI providers should use HTTPS certificates issued by certificate authorities that are well known to standard web browsers so users do not learn to click through security warnings for so-called self-signed certificates. In many cases, CI providers can obtain HTTPS certificates from their home campus' IT department, which may be participating in the InCommon Certificate Service program or have an established contract with another certificate provider.

Tools and guides are available to assist with maintaining a secure HTTPS configuration. The Qualys SSL Server Test tool analyzes a site's HTTPS configuration to identify problems and areas for improvement. Qualys updates their test tool to check for the latest HTTPS security issues (such as the recent Heartbleed bug), so using the tool periodically can help verify that a site's HTTPS configuration remains up-to-date. Comodo and DigiCert also provide HTTPS test tools. For up-to-date HTTPS server configuration recommendations and examples, see the guides provided and maintained by Mozilla and Qualys.

What are your HTTPS best practice questions or recommendations? Post your comments below.

For more about how CTSC helps NSF projects visit