Future-proof TLS configuration using the updated TLS guidelines from NCSC

NCSC-NL publishes updated IT security guidelines for Transport Layer Security (TLS). The secure configuration of TLS is important to safeguard connectivity on the internet. The updated guidelines help to build future-proof TLS configurations, so that organisations can focus on threats that deserve daily attention.

NCSC publishes updated IT security guidelines for Transport Layer Security (TLS)

TLS is the most popular protocol to secure connections on the Internet. The secure configuration of TLS is important to secure network connections. Well known examples include web traffic (https), e-mail traffic (IMAP and SMTP after STARTTLS) and certain types of virtual private networks (VPN).

The guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). Organisations that procure IT systems can refer to this publication when stating their requirements.

"We actively use NCSC's advice in our toolbox for digital security. This guideline helps us, our suppliers and customers to arrive at a secure configuration of IT infrastructure and software."
-- Leon Kers, Chief Information Security Officer, de Volksbank

First published in 2014, NCSC updated the guidelines with valuable contributions from: Autoriteit Persoonsgegevens, Belastingdienst, Centric, Dienst Publiek en Communicatie, Forum Standaardisatie, IBD, KPN, NLnet Labs, Northwave, Platform Internetstandaarden, RDW, SURFnet, de Volksbank, Z-CERT, National Communication Security Agency (NBV) and five international TLS experts.

The updated guidelines help to future-proof TLS configurations using TLS 1.3

"The TLS guidelines help the Tax and Customs Administration to securely connect with citizens and companies"
-- Peter Konings, Security Operations Center, Belastingdienst

The TLS standard has seen active developent since the 2014 guidelines. The TLS guidelines have been updated to incorporate recent developments such as TLS 1.3. Other inclusions are newly standardized options for older versions of TLS.

Most configurations that conformed to the 2014 guidelines are still secure. But the state of art in TLS attacks has also advanced. Various configurations are known to be fragile with respect to evolving attack techniques and merely provide a slim security margin. In the guidelines, NCSC advises to subject the use of these settings to written deprecation conditions that schedule their removal.

Security plays a role in deprecation, but so does compatibility with software of customers or end users. The guidelines help to navigate this effort.

Future-proof TLS configurations enable organisations to focus on threats that deserve daily attention

"Secure connections are crucial in healthcare. NCSC's TLS guidelines make building and maintaining secure connections easier."
-- Christiaan Piek, director, Z-CERT

The availability of TLS 1.3 and the publication of the updated guidelines present an opportunity to phase out configurations that will become insecure in the future. Spending time up front to future-proof configurations, enables organisations to focus on the threats that deserve daily attention.

Go to the new version of the TLS guidelines

CSAN 2018

Nederland digitaal veilig