Skip to main content

HKCERT Released Guideline for Upgrading TLS to Secure Versions

Release Date: 28 Feb 2020 8751 Views

Communication security protocol Transport Layer Security (TLS) ensures data transmission can stand attack of sniffing and data tampering. The protocol has evolved over time with better security and performance. In March of 2020, insecure versions of the protocol TLS 1.0 and TLS 1.1 will approach end-of-support. For the sake of security, IT infrastructure supported by TLS needs to be upgraded to the secure versions of TLS 1.2 and TLS 1.3.
 
The end-of-support will affect many web applications. Website visitors may come across the message “Connection not secure. This page uses weak encryption” if the website has not been upgraded. Please upgrade now to use more secure TLS protocols and algorithms to avoid such embarrassment.
 
HKCERT has published the “TLS Upgrade Guideline” to provide a handy guide for IT leaders to upgrade TLS protocols and cipher suite used to meet the current standard of security in a systematic manner.
 
The Guideline features two simple profiles that can cater different scenarios. One is for maximum security and the other one for balance of security and compatibility. Each profile contains the TLS version(s) and the cipher suites to be used.

 

 

ProfileCriteria of Application TLS Version(s) Used
Modern Security For maximum securityTLS 1.3 only
Intermediate Security Balance high compatibility and good securityBoth TLS 1.2 and TLS 1.3

 

 Below is the recommended approach on the TLS Upgrade Steps, along with detailed steps and tools to use:

 

Recommended approach on the TLS Upgrade Steps

 

The first step “Inventory” is an important start. Some people only consider the most noticeable asset, such as the public web server, and overlook many other devices. The Guideline has listed a number of services that rely on TLS support which has to be paid more attention to.
 
The “Planning” stage offers tips on the strategy and priority of upgrade, and reminds the reader about contingency plan for those assets that cannot be upgraded.
 
Please click “TLS Upgrade Guideline” and “Inventory Table Template” to download. Should users or developers have any comments or enquires about the Guideline, they are most welcome to contact HKCERT via email: [email protected] or its 24-hour telephone hotline: 8105 6060.