Agency seeks to future-proof network security in the Netherlands

The Netherlands’ National Cyber Security Centre (NCSC) has updated its Transport Layer Security (TLS) protocol guidelines, aiming to help organizations create more secure network configurations.

Replacing the now-deprecated Secure Sockets Layer (SSL) encryption protocol, TLS covers the creation and use of a cryptographically secured connection between a client and server.

TLS is used to secure a wide range of network activity, including web traffic (https), email traffic (IMAP and SMTP after STARTTLS), and certain types of virtual private networks (VPN).

The new guidelines were produced in conjunction with five international TLS experts, as well as the Dutch central government and operators of critical national infrastructure.

“We created and updated the guidelines to help organizations to build future-proof TLS configurations, so they can focus on threats that deserve daily attention,” an NCSC spokesperson tells The Daily Swig.

They represent the NCSC’s first update since 2014, when the guidelines were first created.

However, says the spokesperson, the 2014 version was conservative enough that no update has been needed until now – despite the fact that there have been large numbers of new and improved attacks on TLS since then.

“In a sense, the previous version is still current,” they said. “Most configurations that conformed to the 2014 guidelines are still secure. However, TLS has evolved since, and the guidelines have been updated to reflect the release of TLS 1.3,” he says.

“In step, we have downgraded the security level of a number of settings that are known to be fragile with respect to evolving attack techniques and merely provide a slim security margin.”

TLS 1.3 was approved last year, and became an official standard in August.

It uses the same keys and certificates as TLS 1.2, but strips out various obsolete or insecure features, eliminating unnecessary handshake steps and requiring the use of new, more secure, encryption methods.

The new NCSC guidelines also include newly-standardized options for older versions of TLS – such as TLS 1.0, TLS 1.1, 3DES – and static key exchanges such as TLS_RSA_.

The NCSC advises that while these older versions are still secure, organizations should start phasing them out.