Requirement
Websites should automatically load over HTTPS and use good SSL configuration.
Good configuration means:
- Use strong cryptographic versions and cyphers.
- Set the HSTS (HTTP Strict Transport Security) response header.
- Earn a grade between A and B based on a scan at Qualys SSL Scan.
Note to applicants: Mitigate-5 Certifications expire at the end of each calendar year. Renewal is automatic and does not require a new application. Re-verification checks are done between November and December of each year
Note to applicants: If any aspect of this requirement is unclear, please contact us.
Why implement HTTPS
HTTPS can be implement HTTPS by getting an SSL certificate from a certificate authority (CA). An SSL certificate can be purchased or received for free.
Mitigate-5 requires HTTPS for the following four (4) core reasons:
- Encryption — HTTPS encrypts the traffic between a users’ browser and your website/web application to protect it from sniffing and other forms of interception.
- Data integrity— HTTPS Protects data from being modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Authentication— HTTPS proves that to users browsers that they are communicating with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
- HTTPS is the future baseline of web security, and Search Engines (such as Google) will treat HTTPS-enabled sites with preference in their search results.
There can be several options for implementing HTTPS on a corporate website, depending on how the website is hosted. Unsure website owners should consult their internal technical team or hosting provider.
Many web hosting companies have their own way to implement HTTPS on websites they host. They usually provide a helpful guide in their support are
Before buying an SSL Certificate
- Understand the different types of coverage (i.e. Single domain, Multi-domain, Wildcard)
- Change hard-coded URLs to relative URLs to prevent browsers highlighting mixed content warnings to users after HTTPS is active.
- Check for crawling and indexing issues. Remove entries from the robots.txt file that block crawlers from the HTTPS version of the site. Avoid the noindex meta tag in the source code of web pages.
After buying an SSL Certificate
- Check for old protocol versions that are known to be vulnerable and disable them. E.g. SSLv3, TLSv1.0 – 1.1. Upgrade your TLS libraries as time progresses, and stronger versions are released.
- Check for SSL errors. WhyNoPadLock.com (https://www.whynopadlock.com) can be used to automate this check.
- Set the HSTS (HTTP Strict Transport Security) Response Header.
- Setup server-side redirects (Status 301) from HTTP to HTTPS (e.g. using apache.conf, .htaccess, other redirect options from hosting provider)
- Setup an auto-renew process – If an auto-renew process is not set up then there is the risk that an SSL certificate will expire a year later and then browsers will show users a warning telling them your site is unsafe (because your certificate is now invalid).
- Certificate mismatch – Use a certificate which covers the domain and sub-domains your website uses, or browsers will show users a warning telling them the website is unsafe (because the certificate doesn’t match the domain it’s assigned).
