TLS is the encryption protocol that is mainly, but not exclusively, used to encrypt network traffic from websites and hence theoretically securely transmit the traffic. However, in order for this encryption to be secure in practice, some settings must be respected.

The last time we wrote articles about TLS/SSL or encryption was in 2014 and 2015. Most of the recommendations have not changed, but there are still some updates and outdated ciphers and protocols that are discussed in this article. Finally, this article summarizes which TLS settings should currently be implemented from a security perspective.

What is new

This section looks at the new protocols and security measures introduced since 2015.

TLSv1.3

A new version of the TLS protocol has been published. It is called TLSv1.3 and is defined in RFC 8446. The two most important areas in which TLSv1.3 differs from the previous protocol are security and speed. This is because TLSv1.3 removes several weak and obsolete features from TLSv1.2. The speed gain is due to a new handshake that can be performed in one round-trip instead of two.

OCSP-Stapling

OCSP stands for Online Certificate Status Protocol and is a standard for checking the revocation status of certificates. With OCSP-Stapling, an extension of the original OCSP, the revocation status is delivered directly by the server as part of the TLS handshake. Accordingly, the browser itself does not need to contact an OCSP server to check the status of the certificate. This reduces the total time required to establish the TLS connection and no information about a user’s browsing behavior is sent to the OCSP server.

What was removed

This section looks at the protocols, ciphers and other security measures removed since 2015.

TLS_RSA

It is only about ciphers that use RSA for key exchange. All these ciphers are affected by the ROBOT attack or similar attacks and are classified as weak. The vulnerabilities mean that an attacker who can passively record the data traffic can later decrypt it. Anyone who would like to read more details about the ROBOT attack can find them on the website created for the vulnerability robotattack.org.

TLSv1.0 and TLSv1.1

Back in March 2020, modern browsers such as Chrome, Firefox and Safari stopped supporting the TLSv1.0 and TLSv1.1 protocols. This is mainly because several aspects of the design of these protocols are not robustly implemented. For companies in the financial sector, it is also of interest that the PCI DSS has also required that TLSv1.0 should no longer be supported as early as the end of June 2018.

Public-Key-Pinning

Public-Key-Pinning was developed to counteract the fact that any CA can issue a certificate for any website. However, the correct implementation of public key pinning is complex and requires a lot of expertise. In addition, there is the risk of completely blocking the website for visitors if a bad configuration were to be implemented. For this reason, most browsers have removed support for Public-Key-Pinning.

As an alternative, the concept of Certificate Transparency is now available. Newly issued certificates are recorded in publicly maintained CT-logs. Anyone can now monitor these logs for their domains and recognize a falsely or maliciously created certificate.

TLS Configuration Checklist

The following checklist contains the mentioned recommendations for a secure TLS configuration as well as those still valid from the last article (as of July 2021):

• Protocols
  • Disable SSLv2, SSLv3, TLSv1.0 and TLSv1.1
  • Enable TLSv1.2 and TLSv1.3
  • Set TLSv1.3 as preferred protocol
• Configuration
  • Disable Client-Initiated Renegotiation
  • Disable TLS compression
  • Enable support for Forward Secrecy
  • Enable OCSP-Stapling
• Cipher Suites
  • Disable Anonymous Cipher Suites
  • Disable cipher suites with a key length less than 128 bit
  • Disable Cipher Suites RC4, DES and 3DES
  • Disable RSA for key exchange
  • Support Perfect Forward Secrecy (ECDH, DH)
  • Diffie-Hellman for key exchange at least 2048 bit
• Certificate
  • Certificate must match hostname(s)/domain(s)
  • Have certificate signed by trustworthy certification authority
  • Private key key length of at least 2048 bits
  • Use hash algorithm SHA256 instead of MD5 and SHA1 for certificates

Conclusion

If the settings suggested in the TLS configuration checklist have been enforced, then a system is well protected with the current security recommendations in the area of TLS. However, fully protecting a system involves more than just implementing secure TLS settings. In our archive of all labs you will find all articles on topics that our Red team, our Blue team as well as our Research team have focused on recently.

About the Author

Andrea Hauser graduated with a Bachelor of Science FHO in information technology at the University of Applied Sciences Rapperswil. She is focusing her offensive work on web application security testing and the realization of social engineering campaigns. Her research focus is creating and analyzing deepfakes. (ORCID 0000-0002-5161-8658)

Links

• https://datatracker.ietf.org/doc/html/rfc8446
• https://robotattack.org
• https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf