This document provides recommendations for implementing website security standards for the Norwegian government. It begins with background information on HTTPS and what it does and does not do. It then recommends implementing the newest version of TLS, using strong cipher suites with forward secrecy and authenticated encryption. The recommendations also include using certified implementations if possible, trusted certificate authorities, HTTP Strict Transport Policy, certificate pinning, and hardware key protection. Finally, it discusses potential benefits such as increased trust, requirements from other actors, and implementation costs as well as consequences for technologies like HTTP/2 and security headers.
20. Table of Contents #1
1. Introduction
2. Background
3. Recommendation from NSM
4. Description of HTTPS
a. What it is
b. What it does
c. What it doesn’t do
21. Table of Contents #2
5. Recommended implementation
a) Use the newest version of TLS (currently TLSv1.2)
b) Use strong cipher suites, with Forward Secrecy & Authenticated Encryption
c) Use certified implementations, if possible
d) Use trusted Certificate Authorities, if possible
a) With Certificate Transparency, if possible
e) Use HTTP Strict Transport Policy (HSTS), if possible
f) Use Certificate Pinning, if possible
g) Use hardware key protection, if possible
22. Table of Contents #3
6. Possible wins & consequences of implementation
a) Increased trust in the service provided
b) Use of outdated hardware and software
c) Requirement for HTTPS usage from international actors (USA, Germany)
d) Potential implementation & maintenance costs
e) Multiple provider mixed content issues
f) Support for implementation
g) Performance impact
h) Consequences for other relevant technologies:
a) HTTP/2, security headers, DNSSEC
