A+ SSL rating from your ELBs in Early 2015

Lately we have seen several vulnerabilities that affect how secure HTTP connections get formed. This ones included POODLE and Heartbleed. Also, RC4 has become an unwanted protocol in newer browsers.

All the modern browsers use the latest cipher techniques in order to get the most robust HTTPS connection, but unfortunately, if your website has lots of users, many of them will use older browsers on top of older operating systems, which becomes tricky for system administrators, who try to keep the systems secure.

On February 12,  2015, AWS has released a new policy for their Elastic Load Balancers, that basically has removed support for RC4, disabling users of Internet Explorer 8 over Windows XP to connect to the ELBs.  This new policy has been named ‘ELBSecurityPolicy-2015-02’.

SSLLabs is a great tool that tests the configuration of web servers (or Load Balancers) that are serving HTTPS, and gives back a rating and a detailed list of the configuration and potential security holes. Usually it is useful for checking the installation of the certificates, plus checking the cipher strength and a quick vulnerability assessment.

When using the new ELB security policy, you can get an ‘A’ rating, but dropping support for IE8/WinXP. In order to keep your ‘A’ and make the ELB to work with that browser, you can create a custom policy, where you use the same settings as the ELBSecurityPolicy-2015-02 and you also enable the following cipher sets:

DES-CBC3-SHA
DHE-RSA-AES256-SHA

After that, you test again and you still have your ‘A’ rating, plus you support poor old IE8/WinXP.

Keep in mind that there is an ‘A+’ rating, that you can get only by having an ‘A’ plus the Strict Transport Security (HSTS) header coming from your backend servers.

Hope this helps businesses that need to support users with old technologies but trying to keep as secure as possible.

For a world with more secure sites!