Abstract:
TLS is the most commonly used protocol to secure communications of client-server applications. The most prominent usage is HTTPS, HTTP over TLS, which ensures that a third party cannot read or alter the data transported between a website and a browser. Different institutes like the German BSI or the US NIST publish guidelines that specify recommendations with which a TLS server must comply to be considered secure by said guideline. As this is a constantly evolving field, these guidelines change, and if administrators of TLS servers do not keep up, their configurations become outdated and possibly insecure. We evaluate the TLS configurations of the one million top-ranking sites on the Tranco list regarding compliance with the BSI and NIST guidelines and find that no server strictly follows every recommendation. First, we present the design and implementation of an extension for the TLS-Scanner project, which evaluates TLS guidelines for a server. Then we perform a large-scale scan on the one million hosts and present the evaluation results. We conclude that no server strictly follows every rule, the reasons ranging from negligence to the intentional sacrifice of security for interoperability.