Google Chrome has started to show sites that still uses the old SHA-1 cipher as not
verified. https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
Sites with SSL certificates that expire before January 1, 2016 won’t be
affected, but sites with certificates that expire later will need to have their
certificates reissued.
“Early
2015 – Chrome
41: Sites with end-entity certificates that expire between 1 January 2016
and 31 December 2016 (inclusive), and which include a SHA1-based signature as
part of the certificate chain, will be treated as “secure, but with minor
errors”.
Sites with end-entity certificates that
expire on or after 1 January 2017, and which include a SHA1-based signature as
part of the certificate chain, will be treated as “affirmatively insecure”.
Subresources from such domain will be treated as “active mixed
content”. The current visual display for “affirmatively insecure” is a
lock with a red X, and a red strike-through text treatment in the URL scheme.”
The remedies for this is to
- Disable SSL V1, V2 and V3 https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
- Disable RC4 Cipher (same link)
- Upgrade your SSL certificate to use the SHA-2 cipher.
- If possible use DNS-SEC
There are more things you can do proactively to protect your sites. Some things must be dealt by the IT org. but some things can be done on the servers.
Check out this links:
PEN test your site
https://asafaweb.com/
Other PEN testing tools
PEN test the infrastructure
https://www.ssllabs.com/ssltest/analyze.htmlhttp://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks
OWASP
Is a great resource for web security. Here you can find almost everything you'l ever need regarding web security.
Cheat sheet
https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
And Troy Hunt has a great Plurar sigth course, top 10 ASP.NET list to check
http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks
This is how you disable exessivve response headers
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
The MVC version is also easy, although it does require us to touch code. Over in the Global.asax, we want to jump into the Application_Start event and add the following:
I hope these tips can help you get a more secure site.
https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
And Troy Hunt has a great Plurar sigth course, top 10 ASP.NET list to check
http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks
This is how you disable exessivve response headers
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
The MVC version is also easy, although it does require us to touch code. Over in the Global.asax, we want to jump into the Application_Start event and add the following:
MvcHandler.DisableMvcResponseHeader
= true;
I hope these tips can help you get a more secure site.