qualys ssl/tls best practices

Curious about SSL Best Practices? Qualys has a regularly-updated “SSL/TLS Deployment Best Practices” file with some good information. I like that the best practices include mention of practical concerns in additional to security ones. For instance, not to use private keys larger than 2048. I’ve forged forward on my own to use 4096 keys, and I can attest to significant performance issues due to it. Also, I’m glad for the very brief EV SSL mention; I’m not sold that it’s useful enough to talk about. I personally recommend not spending the money on them unless your customers are asking for a green browser address bar…

The only thing I wish this doc contained would be more insight into common secure and insecure cipher suites. Now, I know SSL tools will do this and many systems rename ciphersuites into weird names for no real reason, but it would be nice to just get a dumped list. For a doc that is useful to slam down on a CIO or developer or sysadmin desk, it would be welcome. Props, though, to suggesting SSL eval tools, which will help a sysadmin do the same thing, just with a little bit of sweat and time expense.