Placeholder

Customer Forum

What is the Workbooks SSL/TLS configuration? Why no A+ on SSL Labs?

Workbooks Support Posted: 2015-03-26 11:24

Connections to the Workbooks service are over secure "HTTPS" connections. One responsibility of the Workbooks Operations Team is to ensure that these connections are secure; vulnerabilities in protocols and implementation are discovered from time to time and the service configuration is changed to ensure that Workbooks remains secure.

Encryption and Ciphers

HTTPS adds an encryption layer over which web traffic can be exchanged between client and server, that layer originally used "SSL"; SSL has been superceded by TLS. Workbooks no longer supports connections over SSL because it is no longer considered secure. 

Workbooks uses widely-deployed components to implement its HTTPS stack. We update this and other components from time to time as vulnerabilities are discovered and fixed. Our TLS configuration defines the set of "Ciphers" which can be negotiated between an external client (Web browser or API client) and the Workbooks service.  The choice of ciphers to offer is a balance between a desire for maximal security and the realities that the external clients do not always support the latest ciphers. The intention is that a particular client should negotiate with the service to achieve the most secure connection they can both support.

Certificates

The other main area to consider with HTTPS is the certificates which identify the communicating parties. Certificate technology is also subject to change. For example certificates signed using "SHA-1" or 1024-bit keys are no longer considered secure so Workbooks' Extended Validation certificates are signed using newer algorithms. 

SSL Labs

A popular site to check the security of a web site is "Qualys SSL Labs". This offers a service to check the security of a website from the perspective of its SSL/TLS configuration. It is updated frequently, as vulnerabilities and exploits become publicly known. Workbooks normally scores well on this site but it doesn't always score the top grade because of the need to balance security with pragmatism.  

For example as of February 2015 it was not possible to support Microsoft Internet Explorer on Windows 7 or earlier, or IE Mobile, if we implemented the tightest "Modern" set of ciphers as recommended by Mozilla on their Security/Service SIde TLS page. Implementing the "Modern" profile would have resulted in an A+ score from SSL Labs but would have blocked a significant portion of our installed base from using the service. So we instead implemented "Intermediate" settings, retained compatibility with real-world browsers, but reduced our SSL Labs score to an A-.