Securización de servidores Apache

Cuando queremos securizar y cifrar una conexión a una página web, lo que solemos hacer es generar (o comprar) un certificado digital, instalarlo en el servidor y comprobar que al conectar a través de https nos aparece el candado en verde. Desde el punto de vista del usuario eso produce una falsa sensación de seguridad, porque ¿que ocurre si la entidad certificadora ha revocado el certificado?, o nos están haciendo un Man-In-The-Middle?.

Para evitar esto, se han existen protocolos como SSL, TLS, OCSP, HSTS o SNI.

En el caso de los protocolos SSL y TLS, debemos de optar por los TLS y desestimar los SSL, sobre todo SSL v3 por tener un grave fallo de seguridad.

OCSP (Online Certificate Status Protocol) es un protocolo para verificar el estado de revocación de un certificado digital X.509. OCSP no encripta la comunicación, solo dice que un host determinado usa un determinado certificado, así que la información puede ser interceptada. Una de las preocupaciones acerca de OCSP es que requiere que el cliente se conecte a un tercero para verificar la validez del certificado. Para evitar esa incertidumbre por parte del cliente se desarrolla OCSP Stapling. El host al que nos conectamos, conecta de manera regularmente a su CA (Entidad Certificadora), la cual le emite un ‘ticket’ validado temporalmente, que será añadido al final de la negociación TLS. De esta manera el usuario final evita tener que ponerse en contacto con la CA.

<————————————————————————————->

Overview

Although encrypted web traffic protects users, it requires additional steps to verify integrity and confidentiality. One of these steps is determining whether or not the SSL certificate used to secure a website is still valid, or whether it has expired or been revoked.

The only way to verify the current status of a certificate is to ask its vendor. Since the vendor maintains key information about the certificate including expiration date and any actions performed on the certificate, browsers ensure user safety by requesting certificate information from the vendor instead of from the web server.
How OCSP Stapling Works

The Online Certificate Status Protocol (or OCSP) is a way for a web browser to determine the validity of an SSL certificate by verifying with the vendor of the certificate. While OCSP improves security, it causes websites to load slower since the browser has to communicate with the web server and the vendor. With OCSP stapling, the web server downloads a copy of the vendor’s response which it can deliver directly to the browser.

Here’s a rundown of how OCSP stapling works:

A web server hosting an SSL-encrypted website queries the certificate vendor. The vendor responds with the status of the certificate and a digitally signed time-stamp. Digitally signing the response makes it difficult for the web server to modify it.
When a web browser connects to the server, the server bundles (or “staples”) the vendor’s signed time-stamp with the SSL certificate.
The browser verifies the time-stamp. Since the time-stamp is signed by the vendor, the browser can trust the time-stamp to provide a valid status.
Based on the OCSP response, the browser either opens the page or shows an error message to the user.

OCSP stapling shifts the burden of handling OCSP requests from certificate vendors to web hosts. By doing so, it helps SSL connections perform faster while preventing users from transmitting sensitive browsing information to third parties.
Example of OCSP Stapling

Say a user decides to visit MaxCDN.com. Since the website is SSL encrypted, the status of the certificate needs to be determined by the certificate’s vendor (in this case, GoDaddy.com). With plain OCSP, the browser would query GoDaddy directly, resulting in a slower load time. Additionally, the user would have to provide GoDaddy with MaxCDN’s URL, which allows GoDaddy to determine who browsed which site at which time.

With OCSP stapling, MaxCDN periodically queries GoDaddy and caches a response which is then provided to the browser. The age of the response is verified by the time-stamp and the vendor’s digital certificate, preventing the server from tampering with the response. More importantly, OCSP stapling allows the website to load faster while ensuring the user’s privacy.
Benefits of OCSP Stapling

OCSP stapling ensures the safety and privacy of confidential data with minimal intervention from web hosts.

Users experience faster load times for secure content since their browsers have to make fewer third party requests.
Enterprises see higher customer satisfaction since secure content can be delivered to users more quickly.

Enabling OCSP Stapling

OCSP stapling is supported by most modern web browsers and is enabled by default in IIS. For Apache and Nginx, enabling OCSP stapling requires additional directives in the site’s virtual host file.

From: https://www.maxcdn.com/one/visual-glossary/ocsp-stapling/?utm_source=text

<———————————————————————————————->

Como configurar OCSP Stapling en apache >= 2.4

<VirtualHost *:443>

SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off


</VirtualHost>