6/15/19

Below are some recommendations for Secure TLS:

  • Use only 128-bit cipher or higher, essentially no DES/3DES
  • Use suites with strong authentication examples like Elliptic Curve Diffie-Hellman aka ECDHE & ECDHA/RSA
  • No weak primitives (no RC4 or MD5
  • Perfect Forward Secrecy for keys and protocols
  • When using dual keys use ECDHE over RSA
  • It’s recommended to use AES-GCM with TLS 1.2 (Suite B Cryptography)
  • Removal of IDEA, SEED, ECDH, PSK, DSA, and CAMELLIA
  • Use Strict HTTP Transport Security (HSTS) – if possible – protects from passive, active, and human error attacks
    • strict-transport-security in the HTTP header response field
  • Use Certificate pinning when possible
  • Store private keys on a HSM
  • Use DNSSEC when possible to secure local DNS to sign that the DNS data is valid. Example would be when having a web server and wanting to protect it from web-based attacks

Source: Michael Shannon, CISSP