AnsweredAssumed Answered

Suggestions for the SSL and TLS Deployment Best Practices update

Question asked by Karl Ewald on Apr 17, 2019

I noticed with some surprise that https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices hasn't been updated since May 2017, as I would have expected that it keeps up with the rating criteria. So I was happy that in https://community.qualys.com/message/45229-update-best-practices-prioritize-gcm-over-cbc ysannegowda mentioned that an update will soon take place.

Since I found no other recent thread about the Best Practices document, I am posting my suggestions for it here and invite others to contribute their opinions.
I think it would be helpful to add at the end of section 1.4 "once you have selected the CA you will be using, insert a CAA record in your DNS zone(s), as well as a record permitting or forbidding wildcard requests depending on your choice." and maybe give an example

@       CAA     0 issue "chosen-authority.tld"
@       CAA     0 issuewild ";"

In 4.6 the example includes "preload" but the text mentions that preloading can be employed for higher security. The URL in footnote 5 has changed (a redirect is in place) to https://hstspreload.org/ and this document advises only to include preloading after HSTS has been tested successfully, so I think it would be better to show the example without preload, otherwise readers might include it in their first HSTS configuration without fully understanding the consequences.

 

Many thanks for your great service to the community.

Outcomes