Security & SSL Certificate on the Portal
- Your SSL Certificate needs to be updated if you see an "unsafe" warning, "not private" warning, or a crossed-out HTTPS on the Portal.
- You likely won't have to pay for a new SSL Certificate but rather get an updated one.
- Google Chrome added a 39-month limitation on SSL Certificates. This has nothing to do with MinistryPlatform; instead, it's due to the browser and the SSL internet infrastructure.
- When you get a new SSL Certificate, make sure you get the latest encryption technology as well.
- SSL Certificates should be from a reputable web host or a Certificate Authority. Short-term and free SSL Certificates are not recommended and may not work with our software.
Encryption
In general, good security practices dictate that you should specifically disable all encryption protocols that are outdated and enable only the encryption protocols that are required.
Disable all encryption algorithms except TLS 1.0 (required by the Portal) and TLS 1.2.
- For: Computer>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols>
- Client Keys: SSL 2.0 >Client, SSL 3.0 >Client
- Both of these client keys require a DWORD (32-bit) value as follows: NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
- Server Keys: SSL 2.0>Server, SSL 3.0>Server
- Both of these server keys required two DWORD (32-bit) values as follows: NAME: Enabled, TYPE: REG_DWORD, HEX VALUE: 1 // NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
Enable TLS 1.0 and TLS 1.2.
- Client Keys: TLS 1.0>Client, TLS 1.2>Client:
- Both of these client keys require a DWORD (32-bit) value as follows: NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
- Server Keys: TLS 1.0>Server, TLS 1.2>Server:
- Both of these server keys required two DWORD (32-bit) values as follows: NAME: Enabled, TYPE: REG_DWORD, HEX VALUE: 1 // NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
Unsecured Files
- There are no images on the page served from an HTTP (non-secured) site. This may mean that all Portal images may have to be served from the same IIS server as the Portal.
- CSS does not load images or other items from an unsecured site.
- There are no HTML forms that have "actions" that point to unsecured sites.
The site whynopadlock.com is an excellent utility that will scan a URL and identify potential issues.
Additionally, it is wise to submit your site to the SSL server test from Qualys SSL Labs. The site https://www.ssllabs.com/ssltest/index.html will scan a URL and return a grade from F to A based on various criteria.
Firefox
In Firefox, mixed content will cause the security warning to show in the address bar, with details in the dialog.
Chrome
In Chrome, you can identify specific issues by using the Inspector. Right-click and select Inspect, select the Security tab, and look for details under Resources.