6/15/19

Below are some recommendations for Secure TLS:

• Use only 128-bit cipher or higher, essentially no DES/3DES
• Use suites with strong authentication examples like Elliptic Curve Diffie-Hellman aka ECDHE & ECDHA/RSA
• No weak primitives (no RC4 or MD5
• Perfect Forward Secrecy for keys and protocols
• When using dual keys use ECDHE over RSA
• It’s recommended to use AES-GCM with TLS 1.2 (Suite B Cryptography)
• Removal of IDEA, SEED, ECDH, PSK, DSA, and CAMELLIA
• Use Strict HTTP Transport Security (HSTS) – if possible – protects from passive, active, and human error attacks
  • strict-transport-security in the HTTP header response field
• Use Certificate pinning when possible
• Store private keys on a HSM
• Use DNSSEC when possible to secure local DNS to sign that the DNS data is valid. Example would be when having a web server and wanting to protect it from web-based attacks

Source: Michael Shannon, CISSP