Future-proof TLS configuration using the updated TLS guidelines from NCSC

NCSC-NL publishes updated IT security guidelines for Transport Layer Security (TLS). The secure configuration of TLS is important to safeguard connectivity on the internet. The updated guidelines help to build future-proof TLS configurations, so organisations can focus on threats that deserve daily attention.

Transport Layer Security protocol (TLS) is the most popular protocol to secure connections on the Internet. The secure configuration of TLS is important to secure network connections. Well known examples include web traffic (https), e-mail traffic (IMAP and SMTP after STARTTLS) and certain types of virtual private networks (VPN).

These new guidelines are intended to aid during procurement, set-up and review of configurations of the TLS protocol. Organisations that procure IT systems can refer to this publication when stating their requirements.

"We actively use NCSC's advice in our toolbox for digital security. This guideline helps us, our suppliers and customers to arrive at a secure configuration of IT infrastructure and software." -- Leon Kers, Chief Information Security Officer, de Volksbank

First published in 2014, NCSC updated the guidelines with valuable contributions by Autoriteit Persoonsgegevens, Belastingdienst, Centric, Dienst Publiek en Communicatie, Forum Standaardisatie, IBD, KPN, NLnet Labs, Northwave, Platform Internetstandaarden, RDW, SURFnet, de Volksbank, Z-CERT, National Communication Security Agency (NBV) and five international TLS experts.

"The TLS guidelines help the Tax and Customs Administration to securely connect with citizens and companies." -- Peter Konings, Security Operations Center, Belastingdienst

Future-proof TLS configurations using TLS 1.3

The TLS standard has seen active development since the 2014 guidelines. The TLS guidelines have been updated to incorporate recent developments such as TLS 1.3. Other inclusions are newly standardized options for older versions of TLS.

Most configurations conformed to the 2014 guidelines are still secure. But the state of the art in TLS attacks has also advanced. Various configurations are known to be fragile with respect to evolving attack techniques and merely provide a slim security margin. In the guidelines NCSC advises to subject the use of these settings to written deprecation conditions that schedule their removal.

Security plays a role in deprecation, but so does compatibility with software of customers or end users. The guidelines help to navigate this effort.

"Secure connections are crucial in healthcare. NCSC's TLS guidelines make building and maintaining secure connections easier." -- Christiaan Piek, director, Z-CERT

Focus on threats that deserve daily attention

The availability of TLS 1.3 and the publication of the updated guidelines present an opportunity to phase out configurations that will become insecure in the future. Spending time up front to future-proof configurations enables organisations to focus on the threats that deserve daily attention.