Virtualization Technology News and Information
Top Questions to Ask When Selecting SSL Protection Solutions


Choosing an SSL protection solution is complicated. If you don't ask the right questions to the vendor, you may end up below par, with inadequate SSL security. This article discusses the critical questions to ask when selecting an SSL protection solution. 

Top 7 Questions to Ask While Choosing Your SSL Protection Solution 

1.      What version of SSL will you provide?

With most browsers deprecating TLS 1.0, TLS 1.1 protocols, and outdated SSL protocols, the SSL protection solution must use TLS 1.2 or TLS 1.3. This ensures stronger data security and ensures that browsers do not mark your website as ‘NOT SECURE' despite using SSL. 

2.      What cryptographic algorithms and encryption keys are used? 

For asymmetric encryption (used for establishing SSL Handshake), 2048-bit keys are the standard. Smaller keys are unsafe and larger keys affect website performance as they carry a heavy computational burden. The session keys (used for sessions after SSL handshake is established) must be 128-256 bits to ensure secure encryption. 

SHA-2 is the strongest hashing algorithm. The SSL provider must use this cryptographic algorithm for data encryption and not the outdated SHA-1 algorithm susceptible to collision attacks. 

The strongest public-key encryption algorithms are RSA and ECC. RSA ciphertext uses large integer factorization, making it practically impossible to decrypt fully. ECC uses random elliptic curves with discrete logarithms, making them difficult to discover. 

While ECC offers strong encryption even with smaller keys, not all apps and services are interoperable with ECC-based certificates. So, choose an SSL protection solution that supports both and offers hybrid deployment.

3.      Is the SSL certificate compliant? 

Most regulatory compliance frameworks such as PCI-DSS and industry best practices state the basic standards that the SSL certificate must abide by. These standards include the version of TLS protocols used, the strength of private keys, encryption protocols, and so on. If your certificate is non-compliant, then you attract hefty fines and penalties. 

4.      What kind of validation is available? 

SSL certificates are categorized as Domain Validation (DV), Organizational Validation (OV), and Extended Validation (EV) certificates. 

DV certificates offer the lowest level of assurance and involve only domain verification. These certificates, neither offer any additional visible cues of SSL security nor do they mention any information about the organization using the cert. 

Given how easy it is to obtain DV certs, attackers and scammers tend to prefer these. They use these certificates to disguise malicious websites as genuine. So, these certificates are best avoided by all unless a static website or blog needs SSL protection. For all other websites, it is best to choose OV or EV SSL certificates. 

So, make sure your service provider offers an EV or OV level of assurance. 

5.      How does SSL decryption work? 

SSL is used to encrypt data in transit. Attackers leverage the same encryption capabilities to evade detection and bypass security solutions that don't decrypt data, leading to a growth in encrypted attacks. 

SSL decryption/ SSL visibility helps websites prevent such attacks by decrypting traffic and routing them to inspection tools like next-gen WAF, intrusion detection/ prevention systems, etc. But constant decryption of all incoming traffic has high computational costs and erodes website performance. It may be sufficient to decrypt parts of the session in most cases. Further, it is best to decrypt traffic early on than closer to the servers to prevent a whole host of attacks, including DDoS. 

So, evaluate your SSL protection solution on these grounds. 

6.      What Security Measures are Included in the SSL Protection Solution? 

SSL certificates should not be used as standalone data security measures. The SSL protection solution must be part of a multi-layered security solution that includes daily security and malware scanning, managed next-gen WAF, reputational monitoring, effective vulnerability management, and so on. 

Advanced solutions like Entrust by Indusface also include TLS server tests, and crypto agility scans to evaluate the server configurations, report low scores, detect best practice and policy violations, and help security teams to remediate them quickly.

7.      Is Certificate Management System (CMS) included? 

A centrally managed CMS is necessary for effective SSL security. It offers visibility into the certificate lifecycle and makes it hassle-free to manage certificates. Ensure that the CMS has the following capabilities: 

  • Certificate renewal, reissue, and revocation management - This helps ensure that certificates that are nearing expiry get renewed on time and certificates that get revoked are properly reissued thus, ensuring that the website is continuously SSL-protected. 
  • 24*7 self-issuance of the certificates
  • Expiry Notifications
  • Reporting and real-time insights 
  • Simultaneous renewal of multiple SSL certificates.

Some other questions to ask: 

  1. How Does Certificate Reissue Work? Is there a limit on reissue? 
  2. Is warranty available? 
  3. What kind of technical and customer support is provided? 
  4. Which browsers are supported? 
  5. What is the total cost? 


These top 7 questions will help you ensure that you choose an SSL protection solution capable of delivering effective, advanced, and robust security. 


Published Monday, March 28, 2022 7:38 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2022>