Security & SSL Certificate

Basics

  • Your SSL Certificate needs to be updated if you see an "unsafe" warning, "not private" warning or a cross-out HTTPS on the Portal.
  • You likely won't have to pay for a new SSL Certificate, but rather get an updated one.
  • Google Chrome added a 39-month limitation on SSL Certificates. This has nothing to do with MinistryPlatform; instead, it's due to the browser and the SSL internet infrastructure.
  • When you get a new SSL Certificate, make sure you get the latest encryption technology as well.


 
Encryption

In general, good security practices dictate that you should specifically disable all encryption protocols that are outdated and enable only the encryption protocols that are required. To do so:
 
Disable all encryption algorithms except TLS 1.0 (required by the Portal) and TLS 1.2.
To disable SSL 2.0 and SSL 3.0, make sure the following entries are in the server's Registry (if they're not in the Registry, add them):
  • For: Computer>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols>
  • Client Keys: SSL 2.0 >Client, SSL 3.0 >Client
    • Both of these client keys require a DWORD (32-bit) value as follows: NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 1
  • Server Keys: SSL 2.0>Server, SSL 3.0>Server
    • Both of these server keys required two DWORD (32-bit) values as follows: NAME: Enabled, TYPE: REG_DWORD, HEX VALUE: 0 // NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 1
 
Enable TLS 1.0 and TLS 1.2
  • Client Keys: TLS 1.0>Client, TLS 1.2>Client:
    • Both of these client keys require a DWORD (32-bit) value as follows: NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
  • Server Keys: TLS 1.0>Server, TLS 1.2>Server:
    • Both of these server keys required two DWORD (32-bit) values as follows: NAME: Enabled, TYPE: REG_DWORD, HEX VALUE: 0 // NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 1

Additional Tips

For a page to pass the browser "lock test" (i.e., indicate that a page is secure by showing a green lock or some similar icon by the URL) you will also need to make sure that:
  • There are no images on the page served from an HTTP (non-secured) site. This may mean that all Portal images may have to be served from the same IIS server as the Portal.
  • CSS does not load images or other items from an unsecured site.
  • There are no HTML forms that have "actions" that point to unsecured sites.
This is an excellent utility that will scan a URL and identify potential issues.
 
Additionally, it is wise to submit your site to the SSL server test from Qualys SSL Labs. This site will scan a URL and return a grade from F to A based on various criteria.
 

Last Modified: 4/7/2018

Did this article help?
× Thank You for the Feedback