Slaying the SSL Certificate Beast with Only One Swing of Your Sword

It’s a simple fact that anything accessed via the web should be protected with SSL encryption. If you support many systems, this can be a serious challenge. Especially if any of those systems are legacy or developed by a group who doesn’t share your views on security. The truth is, however, that you can secure all your systems all at once.

The Backstory to the Saga

The way that your web browser communicates with a web site hasn’t changed much over the years. There has been changes, but the evolution is very slow. The protocol for communication is also very simple. It’s a simple language to understand and a trivial thing to build into your application. In fact, many modern platforms have the capability built in. This has led to many applications providing web sites or web services in a direct manner.

caveman working on a computer

There is a stark contrast with encryption. Encryption has evolved considerable in the same period. This has been driven by an exponential increase in computer speed and ongoing research into the relative strengths of different approaches. It’s almost like fighting a disease. It’s taking constant effort to stay ahead of the evolution. This ultimately means that there is considerable ongoing work to keep web communications secure.

An application which accepts web communication may have some SSL support. It’s common for that support to be out-of-date. Or may not exist at all.

Additionally, SSL certificates require regular renewals and can be expensive. The renewal process generally involves manual steps and can differ with each application. As the number of web systems you manage increases, so does the headache of SSL.

Take the Fight Elsewhere

The benefit of SSL relates to who you can trust. When you log onto your bank’s website, the communication between your web browser and the bank’s web servers crosses a large network. Many pieces of this network are controlled by organizations that neither you nor the bank can trust. The data could be monitored by malicious parties and you wouldn’t be able to detect it. SSL encrypts your communications in a way where only you and the bank can understand the message.

Man-in-the-middle attack

When you are hosting a web system there will be a local network that you control which is isolated from the rest of the world. You can trust communication on this small part of the wider network. You needn’t have the actual encryption happen at the application itself. It can happen anywhere within your trusted network. This means that you can put a system in place which has the sole responsibility of handling SSL encryption for communication outside of your trusted network. This system is called a proxy.

Proxies have additional purposes, but they are key in managing SSL across many systems. Users who want to communicate with the web system are really communicating with the proxy. The proxy independently communicates with your web system but relays the message along in both directions. The user-to-proxy communication is protected with SSL encryption while the proxy-to-system communication is not. This is safe when the proxy and your web system are on the same trusted network.

What it Takes to Win the Day

A single proxy can handle the traffic for all the web systems in a single trusted network. If you have systems separated by the Internet (or any untrusted network) then you should deploy a proxy in each trusted network. The hostnames for each system should point to the proxy and the proxy will be configured to relay the communication to the appropriate web server.

Because all SSL encryption is handled by your proxy, all your SSL certificates will also be deployed to a single location. This means you only need to learn the process for a single system. If you wish to automate the renewals, you only need to build and maintain a single piece of automation.

Maintenance of the proxy system is vital because of the security it is providing, but it is a single focused point. You can focus efforts to update software and perform audits in a single place. You should also consider putting monitoring in place to watch the health of your SSL certificates.

Additional Resources

An amazing open source proxy that you should check out is HAProxy. If you want to get trusted SSL certificates for free and automate your workflow you should investigate Let’s Encrypt. To keep an eye on your SSL certificates you can leverage StatusCake.