The ultimate resource hub for optimal SSL/TLS deployment
Welcome to our SSL/TLS Best Practices Resource hub, where you’ll find everything you need for the latest in optimizing your SSL/TLS Configurations. Here you’ll be able to browse our expert configuration guides for specific best practices, see the latest configuration stats from the web, and find links and videos to other best practices guides. If this is your first time here or were just looking for a full list of best practices, make sure to Download our FREE SSL/TLS Best Practices Checklist, below:
Download SSL/TLS Best Practices Checklist
Expert Guides
Read deep-dives on Specific SSL/TLS Best Practices
SSL/TLS Best Practices Statistics
How well does the internet implement SSL/TLS best practices?
Basic Configuration Guides by Server Type
SSL/TLS Configuration Guides:
-
What is HSTS Preload? How to Check & Enable it
HTTP Strict Transport Security (HSTS) Preload ensures that browsers always connect to your website using HTTPS. It preloads your domain into browser lists, enforcing secure connections by default. This article covers what HSTS preload is, how to enable it, and how to check its status using tools like CertPanel SSL…
-
What is OCSP Stapling & How does it Work?
OCSP stapling is a performance-enhancing and privacy-protecting extension to the Online Certificate Status Protocol (OCSP), which validates SSL/TLS certificate revocation status. Without OCSP stapling, browsers directly contact the Certificate Authority (CA) to verify the certificate’s status—introducing latency and potential privacy issues. When OCSP stapling is enabled, the server attaches (or…
-
Do I need a CAA Record? How to Check & Add One
A CAA (Certificate Authority Authorization) record is a key DNS record that gives domain owners control over which Certificate Authorities (CAs) can issue SSL/TLS certificates for their domain. This system makes sure that only approved CAs can provide certificates, which boosts domain security and cuts down the chance of certificate…
-
How to Configure OCSP Stapling on an Apache HTTP Server
OCSP Stapling improves SSL/TLS performance by making your Apache web server add certificate status information to the TLS handshake. This prevents clients from sending additional requests to the Certificate Authority (CA) and thus reduces latency and page load performance. In this tutorial, we will take you through enabling OCSP Stapling…
SSL/TLS Configuration Statistics
When you visit a website that displays the padlock, you might assume it’s secure. But how many of those sites have actually configured secure encryption? How many websites follow basic SSL/TLS best practices? We took the top 100 websites (by traffic) and compared their SSL/TLS configurations to a random cross-section sites across the web. See how they stack up:
| SSL/TLS Best Practice | Top 100 websites | Random Cross-section |
|---|---|---|
| Disabled SSL V2 | 100% | 99.82% |
| Disabled SSL V3 | 99% | 98.42% |
| Has TLS 1 | 40% | 23.47% |
| Has TLS 1.1 | 41% | 25.04% |
| Has TLS 1.2 | 100% | 60.42% |
| Has TLS 1.3 | 86% | 60.77% |
| HSTS Offered | 55% | 16.81% |
| HSTS Preload Enabled | 30% | 0.09% |
| Has CAA Record | N/A | 4.38% |
| Has OCSP Stapling | N/A | 35.55% |
| http redirects to https | 71% | 76.97% |
| Has Intermediate Certificate | N/A | 72.24% |
SSL/TLS Deployment Best Practices Course:
Learn the basic components of SSL/TLS configuration by Ivan Ristić, the author of SSL Labs. Taken from his book Bulletproof SSL and TLS, the following video covers the configuration best practices of Keys, Certificates, Protocols, Suites, and more!
Video Contents:
- Keys: Algorithms, Size, & Management
- Certificates: Validation, Hostnames, Sharing, Lifetime, Signature Algorithms, & Chain Correctness
- Protocol Configuration
- SSL Pulse: Protocol Support, Forward Secrecy
- Suites: Configuration, Compatibility, & New Suites Coming Soon