folderpolt.blogg.se - Latest tls versions

NIST SP 800-52 and SP 800-57, OWASP, etc.)” TLS standards: putting these all together “Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g. Regarding the proper configuration of TLS instances, PCI-DSS states:

PCI-DSS is a compliance standard maintained by the Payment Card Industry (PCI) Standards Security Council (SSC) which establishes how payment and card information are handled by e-commerce web sites. This article follows the guidelines of SP 800-52r2, which is currently stable. In 2005, NIST published Special Publication (SP) 800-52, describing the correct operational procedures to securely configure a TLS instance for government servers. Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations 800-77, Guide to IPsec VPNs or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated. A HIPAA guidance document published in 2013 states the following: PHI refers to any digital patient information, such as test results or diagnoses. HIPAA is a regulation enacted by the US government in 1996, concerning the secure handling of Protected Health Information (PHI).

The Payment Card Industry Data Security Standard (PCI-DSS).

The Health Insurance Portability and Accountability Act (HIPAA).

For the sake of brevity, this article will only study the three most adopted documents: There are several entities that maintain guidelines for TLS with regard to network security, such as the United States Department of Health and Human Services (HHS) or the National Institute of Standards and Technology (NIST). (For further help, we’ve also given example configurations of the most popular web server solutions in the appendix.) This article is a brief guide to help you configure a secure server to meet expected TLS standards in 2021.

Understandably, navigating through this sea of standards in order to set up a modern TLS instance can be a real headache for administrators. Unfortunately, there are numerous such standards, with different sectors requiring compliance with different, applicable documents, while the standards themselves also evolve over time, accommodating changes in the sector they were designed to protect. This volatility has motivated various standards organizations to publish guideline documents, so that a minimum baseline for TLS security could be established in a particular market, sector or service. Algorithms can become obsolete over time, or practices can be abandoned, with each change affecting the overall security of a TLS instance (like the one protecting your connection right now). Moreover, TLS, like SSL before it, constantly evolves with the security industry-new technology and business requirements must be satisfied, while the latest security threats must be mitigated. Rather, the security TLS provides arises from the cooperation of various cryptographic algorithms. TLS usually functions quietly in the background, but contrary to what one might think, TLS is not a black box that just works. It (and its predecessor, Secure Sockets Layer or SSL) have been used for decades in many applications, but most notably in browsers when they visit HTTPS websites.

The Transport Layer Security (TLS) protocol is the primary means of protecting network communications over the Internet.