New TLS guidelines landed in Internet.nl
TLS in Internet.nl
The test tool Internet.nl checks TLS configurations for websites under the test category 'HTTPS' and for mail servers under the test category 'STARTTLS and DANE'. The latest 'IT guidelines for TLS' from NCSC-NL are used as a baseline. If a 'good' or 'sufficient' setting is found, then Internet.nl will show a green check ('passed'). In case of a 'phase out' setting, like TLS 1.0 and 1.1, you will see an orange exclamation mark ('warning'), and an 'insufficient' configuration gets a red cross ('fail').
ICT guidelines for TLS
In April 2019 NCSC-NL published the 'IT Security Guidelines for Transport Layer Security (TLS) v2.0'. The advised settings are future proof; as expected TLS connections which are secured according to the new guidelines will not require any modifications in the near future. At the same time the guidelines also ensure that systems remain interoperable and prevent TLS settings to be incompatible.
'Phase out' TLS settings
'Phase out' settings are known to be fragile and are at risk of becoming insufficiently secure. Take the following into consideration when making a decision regarding these 'phase out' settings.
Browser makers have announced that they will stop supporting TLS 1.1 and 1.0 by Q1 2020. This will impact the reachability of websites that do not offer support for TLS 1.2 and/or 1.3.
Quite some mail servers only support older TLS versions. If the sending and receiving mail server both do not support the same TLS version, they will usually fall back to unencrypted mail transport. Because of that it could be advisable to keep supporting TLS versions with a 'phase out' status for a while. Make an informed decision based on log data on when to disable these 'phase out' TLS versions.
The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. ECP provides for the administrative home of the platform. Open Netlabs / NLnet Labs is responsible for the technical realisation of Internet.nl.
- Various UI/webdesign fixes/improvements
- Updated TLS tests to conform to the new v2 NCSC guidelines
- TLS1.3 is supported in the TLS tests
- Improved Hall of Fame which adds mail tests and champions
- Widget for starting the website and email test from other websites
- Connection test: DNSSEC no longer defaults to secure when the bogus url is not visited and none of the others tests could be performed. It falls back to not tested instead