CONTACT USBack to MinistryPlatform Site
Your Knowledge Base is moving on 3/25/24! Our new Help Center provides all the articles you know and love (plus so much more) in a one-stop shop. Ask your SPoC for details!

Security & SSL Certificate

 

Basics

  • Your SSL Certificate needs to be updated if you see an "unsafe" warning, "not private" warning, or a cross-out HTTPS on the Portal.
  • You likely won't have to pay for a new SSL Certificate, but rather get an updated one.
  • Google Chrome added a 39-month limitation on SSL Certificates. This has nothing to do with MinistryPlatform; instead, it's due to the browser and the SSL internet infrastructure.
  • When you get a new SSL Certificate, make sure you get the latest encryption technology as well.
  • SSL Certificates should be from a reputable web host or a Certificate Authority. Short-term and free SSL Certificates are not recommended and may not work with our software.

Encryption

In general, good security practices dictate that you should specifically disable all encryption protocols that are outdated and enable only the encryption protocols that are required. To do so:

Disable all encryption algorithms except TLS 1.0 (required by the Portal) and TLS 1.2.

To disable SSL 2.0 and SSL 3.0, make sure the following entries are in the server's Registry (if they're not in the Registry, add them):
  • For: Computer>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols>
  • Client Keys: SSL 2.0 >Client, SSL 3.0 >Client
    • Both of these client keys require a DWORD (32-bit) value as follows: NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
  • Server Keys: SSL 2.0>Server, SSL 3.0>Server
    • Both of these server keys required two DWORD (32-bit) values as follows: NAME: Enabled, TYPE: REG_DWORD, HEX VALUE: 1 // NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
 
Enable TLS 1.0 and TLS 1.2
  • Client Keys: TLS 1.0>Client, TLS 1.2>Client:
    • Both of these client keys require a DWORD (32-bit) value as follows: NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0
  • Server Keys: TLS 1.0>Server, TLS 1.2>Server:
    • Both of these server keys required two DWORD (32-bit) values as follows: NAME: Enabled, TYPE: REG_DWORD, HEX VALUE: 1 // NAME: DisabledByDefault, TYPE: REG_DWORD, HEX VALUE: 0

Unsecured Files

For a page to pass the browser "lock test" (i.e., indicate that a page is secure by showing a green lock or some similar icon by the URL) you will also need to make sure that:

  • There are no images on the page served from an HTTP (non-secured) site. This may mean that all Portal images may have to be served from the same IIS server as the Portal.
  • CSS does not load images or other items from an unsecured site.
  • There are no HTML forms that have "actions" that point to unsecured sites.
This is an excellent utility that will scan a URL and identify potential issues: whynopadlock.com
 

Additionally, it is wise to submit your site to the SSL server test from Qualys SSL Labs. This site will scan a URL and return a grade from F to A based on various criteria.

Firefox

In Firefox, mixed content will cause the security warning to show in the address bar, with details in the dialog.

Chrome

In Chrome, you can identify specific issues by using the Inspector:

  1. Right-click and select Inspect
  2. Select the Security tab
  3. Look for details under Resources