WEBVTT

00:00.080 --> 00:00.530
Hey, everyone.

00:00.530 --> 00:01.490
And welcome back.

00:01.490 --> 00:08.240
Now in today's video, we will look into the grading aspect of the SSL, TLS configuration that we might

00:08.240 --> 00:10.450
be making in a Web server.

00:10.460 --> 00:17.240
Now, do remember that just by getting an SSL, TLS certificate and using the Https website is not the

00:17.240 --> 00:18.260
ultimate goal.

00:18.260 --> 00:23.900
And many of the organizations that do that, they get the Https certificate, they modify the server

00:23.900 --> 00:29.360
configuration, and you have the Https website and they say, okay, now we are all secure.

00:29.390 --> 00:32.840
But that is not the final goal.

00:32.840 --> 00:37.940
Now setting the right web server level configuration for your SSL.

00:37.970 --> 00:42.470
TLS is one of the very important thing that you need to do.

00:42.470 --> 00:49.340
So there are a lot of important configurations that you can make in your web server to improve the overall

00:49.340 --> 00:50.480
implementation.

00:50.480 --> 00:58.640
So you can have things like ocsp stapling, you can have perfect forward secrecy, you can set the recommended

00:58.640 --> 01:02.520
allowed ciphers as well as the allowed SSL TLS version.

01:02.520 --> 01:08.220
You can have the Hsts, which is the Http, strict transport security and various others.

01:08.220 --> 01:16.650
So along with having the right SSL, TLS certificates and then also making the right configuration setting

01:16.650 --> 01:23.820
within your web server, together they will improve the overall security of your website.

01:23.940 --> 01:30.930
Now there are various websites which you can use to grade your certificate as well as the configurations

01:30.930 --> 01:32.130
of your web server.

01:32.130 --> 01:38.550
So through the GUI it becomes much more easier where let's say you have a Https website, you can just

01:38.550 --> 01:41.820
put your website name and the grader will go through it.

01:41.820 --> 01:45.090
It will look into the configurations and it can rate you.

01:45.090 --> 01:51.810
So A-plus is generally the highest rating and certain websites even get F, so if you grade through

01:51.810 --> 01:58.050
this, it will become much more easier for you to understand whether your configurations are idle or

01:58.050 --> 01:59.730
they are not up to the mark.

01:59.730 --> 02:05.670
So let's quickly look into one of the websites which allows you to understand these aspects.

02:05.670 --> 02:09.060
So one of the very good website is SSL Labs.

02:09.090 --> 02:13.410
So it is SSL labs, dot com slash SSL test.

02:13.590 --> 02:13.920
All right.

02:13.920 --> 02:15.360
So this is the website.

02:15.360 --> 02:22.710
So what you have to do is you have to basically put your hostname where your Https website is running.

02:22.710 --> 02:26.520
So once you do that, you can go ahead and click submit.

02:26.520 --> 02:33.540
So now what it will do is it will automatically verify your configurations, it will check your certificates

02:33.540 --> 02:38.640
and depending on both of those aspects, it will grade your website.

02:38.640 --> 02:41.160
So it is just testing various things.

02:41.160 --> 02:43.500
So let's quickly wait for a moment here.

02:45.910 --> 02:46.570
Great.

02:46.570 --> 02:49.090
So the evaluation has been completed.

02:49.090 --> 02:53.260
And if you see the overall rating is a which is quite good.

02:53.530 --> 03:01.150
Now if you go a bit down, it basically shows you a lot of aspects over here.

03:02.020 --> 03:05.350
So let's go a bit up and let's do one thing.

03:05.350 --> 03:08.290
Let's open up this website in one more tab.

03:08.560 --> 03:11.200
Let's click on Test Your Server.

03:11.200 --> 03:15.070
And now here you will see that there are various other websites.

03:15.070 --> 03:20.650
It basically tells you the list of websites which has either better rating or even worse rating.

03:20.650 --> 03:22.600
So there is a website here.

03:22.990 --> 03:25.780
So it has an A+ rating, which is quite good.

03:25.780 --> 03:32.140
So let's open this up and we'll also look into certain other websites which does not have a good rating.

03:32.140 --> 03:34.630
So let's open one of them.

03:34.630 --> 03:36.880
So these are some random websites here.

03:36.880 --> 03:43.840
You see, even Labs dot internal has been tested here and it is a so you see there are a lot of administrators

03:43.840 --> 03:50.030
who test their websites against the quality SSL labs because this is very useful.

03:51.430 --> 03:54.580
So speaking about Unix storm.org.

03:54.610 --> 03:56.350
So this is one of the random websites.

03:56.350 --> 03:57.840
So it really got a.

03:58.480 --> 04:05.150
Now if you look over here, this website has http strict transport security, which is hsts.

04:05.170 --> 04:07.780
And this is something that we were discussing.

04:07.780 --> 04:13.360
This is one of the ways in which you can improve your overall security as well as the overall grade.

04:13.540 --> 04:20.620
So this same thing is not really there in labs or internal, and this is one of the reasons why it does

04:20.620 --> 04:22.090
not have the highest rating.

04:22.090 --> 04:24.430
So here the highest rating is A+.

04:24.430 --> 04:30.670
So this is the reason why you should always test your implementation in the sites like this so that

04:30.670 --> 04:33.130
you can have the overall analysis.

04:33.160 --> 04:34.480
Now speaking.

04:35.860 --> 04:37.410
About one of the websites.

04:37.420 --> 04:40.560
Let's look into why this really got F.

04:40.570 --> 04:48.250
So it basically says here you see it even has the hsts, but it's still got an F, So it is not like

04:48.250 --> 04:51.730
you just have the Hsts and you'll get the highest grade.

04:51.820 --> 04:56.740
So here it says that this server is vulnerable to the drown attack.

04:56.740 --> 05:04.680
So now if you go a bit down it will show you the exact section and also give you a better details.

05:04.690 --> 05:09.220
Now there are various attacks that happens against TLS or SSL.

05:09.250 --> 05:12.670
You have Poodle, which is specifically for SSL version three.

05:12.700 --> 05:16.060
You have Beast Attack, you have various others.

05:16.060 --> 05:23.920
So if one of them might be applicable for your website, you will immediately get a downgraded rating.

05:24.010 --> 05:27.310
Now, let me quickly show you one interesting thing here.

05:27.400 --> 05:32.530
So within your Nginx configuration, you have a include directory.

05:32.740 --> 05:38.180
So this is basically the include directory, which got automatically added after Letsencrypt.

05:38.360 --> 05:42.920
So let me open this up in our Nano editor.

05:42.920 --> 05:47.420
So within here you can set the SSL protocol.

05:47.420 --> 05:55.130
So currently if you would see that the SSL protocols by default which were allowed was TLS version one,

05:55.130 --> 05:57.260
1.1, 1.2.

05:57.260 --> 05:58.820
So you can override that.

05:58.820 --> 06:04.460
You can say that only the SSL protocol of TLS 1.2 would be allowed.

06:04.460 --> 06:06.110
No other would be allowed here.

06:06.140 --> 06:06.500
All right.

06:06.500 --> 06:08.390
So this is something that you can configure.

06:08.390 --> 06:10.460
So now let's try one thing.

06:11.000 --> 06:15.020
Let's also allow the SSL version three.

06:15.020 --> 06:17.990
So once you have done that, you can go ahead and save this.

06:18.140 --> 06:23.660
Let's verify with Nginx and let's go ahead and restart the Nginx.

06:25.340 --> 06:26.120
Great.

06:26.120 --> 06:30.350
So once you have done that, let's go ahead and clear the cache.

06:31.770 --> 06:34.870
So that it can scan the website again.

06:34.890 --> 06:35.520
All right.

06:35.520 --> 06:37.230
So the analysis is complete.

06:37.230 --> 06:44.010
And now you see, just because the SSL version three was allowed by the Web server, the rating came

06:44.010 --> 06:45.300
down from A to C.

06:45.570 --> 06:47.130
Now you see this server.

06:47.130 --> 06:50.090
It says that this server is vulnerable to the poodle attack.

06:50.100 --> 06:53.580
Now, poodle attack is specifically for the SSL version three.

06:53.580 --> 06:58.360
And this is one of the reasons why you have the later versions like TLS, which were released.

06:58.380 --> 07:05.910
So I hope you understood about the improvement that you might want to make when you deploy the SSL,

07:05.940 --> 07:07.860
TLS for your website.

07:07.860 --> 07:10.130
So that's the high level overview.

07:10.140 --> 07:14.340
I hope this video has been informative for you and I look forward to see you in the next video.