Updating our guidance on security certificates, TLS and IPsec | National Cyber Security Centre

Today, the NCSC has published updated guidance on deploying and managing security certificates, taking into account trends and practice in the international certificates ecosystem. Provisioning and Managing Certificates in the Web PKI replaces our previous ‘Provisioning and Securing Security Certificates’ guidance, and brings together all our current thinking on Web PKI.

The guidance offers a set of key recommendations for certificate management. These include:

using automated certificate provisioning and renewal where possible, reducing the risk of human error in managing your certificates
preparing for shorter certificate lifetimes, recognising trends in the certificate authority ecosystem
ensuring you have effective monitoring of your certificate issuance and renewals, and access to your private keys
using cloud key management services and avoiding wildcard certificates to reduce the likelihood and impact of compromise

We have also taken the opportunity to make a few minor changes to our guidance on Using TLS to protect data and to Using IPsec to protect data, to ensure consistency with the certificates guidance and to reflect current standardisation activities. The guidance now aligns with the NCSC’s recent advice on external attack surface management (EASM) products.

At this stage, we have made no changes to our cipher suite recommendations in either of these pieces; the recommended profiles still provide good protection. However, the legacy profiles in each of those pieces of guidance are increasingly outdated, and in some cases deprecated, and it is essential that organisations relying on them update their profiles as soon as possible.

We will be producing more substantial revisions to our TLS and IPsec guidance in the near future, introducing additional recommended profiles / cipher suite preferences that include post-quantum cryptography, as the relevant protocol standards are finalised and as robust implementations mature in a range of commonly-used libraries.

Jeremy B

Principal Technical Director for Crypt and High Threat Technologies

Source link

What's Hot

SSA-230445 V1.0: Stored XSS Vulnerability in OZW Web Servers Before V5.2

SSA-331112 V1.0: Multiple Vulnerabilities in SINEC NMS Before V3.0 SP1

SSA-354112 V1.0: Multiple Vulnerabilities in SCALANCE M-800 Family Before V8.2

WP Maps Pro bug exploited to create admin accounts on WordPress sites

FBI warns of fake FIFA websites running World Cup fraud schemes

BTMOB Android malware service generates custom phishing payloads

Catchy & Intriguing

Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

The Essential Guide to Removing Computer Infections: Step-by-Step Remedies

Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

Most Popular