New Internet.nl with improved tests for TLS and CSP
Latest TLS guidelines from NCSC-NL supported
The recently updated IT security guidelines for Transport Layer Security (TLS) from NCSC-NL have led to the following changes in the website and mail test:
- The security level of TLS 1.2 is downgraded from Good to Sufficient (guideline B1-1). TLS 1.3 is still Good. This has no impact on the Internet.nl test result, because we already considered Sufficient TLS versions to be enough to succeed for the subtest. However, we have included the downgrade in the test explanation of the TLS version subtest.
- The requirements for the ordering of algorithm selections have been simplified. Only the security level now determines the prescribed ordering (guideline B2-5). We have adjusted the cipher order subtest of Internet.nl accordingly.
- Supporting client-initiated renegotation is no longer Insufficient, but Sufficient (guideline B8-1). Internet.nl changed the requirement level for the client-initiated renegotation subtest into 'Optional'.
CSP settings evaluated
Content-Security-Policy (CSP) guards a website against content injection attacks including cross-site scripting (XSS). We now check for several (in)secure CSP settings (like unsafe-inline
and unsafe-eval
), although we do not exhaustively test the effectiveness of your CSP configuration. The requirement level of the CSP subtest has been raised from 'Optional' to 'Recommended'.
Non-mail domains better supported
We now explicitly check for non-sending and non-receiving mail configurations, and expect the following.
- Non-sending domain: Use the most strict DMARC policy (
p=reject
) and SPF policy (-all
) for your domain that you do not use for sending mail in order to prevent abuse ('spoofing'). Note that DKIM is not necessary in this case. - Non-receiving domain: In case you do not want to receive mail on your domain that has A/AAAA records, we advise you to use Null MX. In case your domain does not have A/AAAA records and you do not want to receive mail on it, we advise you to configure no MX record at all (i.e. even not an Null MX record).
Minimum max-age for HSTS extended
HTTP Strict Transport Security (HSTS) forces a web browser to connect directly via HTTPS when revisiting your website. This helps preventing man-in-the-middle attacks. We have decided to extend the mimimum HSTS cache validity period from 6 months to 1 year (max-age=31536000
). This is in conformance with the common good practice.
Further details on the above improvements can be found in the test explanations of the relevant subtests of the website test and the email test.
About Internet.nl
The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone.
Release notes v1.3:
-
New:
- NCSC-NL's TLS guidelines 2.1;
- Validate CSP directives;
- Support non email sending domains in mailtest for DKIM test;
- Explicitly test for NULL MX;
- Support for SSL_OP_PRIORITIZE_CHACHA;
- Keep and display the organizational domain for DMARC;
- 100% badges page in knowledge base;
- Ignore nonces for IPv4 vs IPv6 comparison;
- Accessibility statement for Internet.nl;
- Use IDNA2008.
-
Changes:
- Minimum max-age for HSTS is now 1 year;
- Accept all 3xx+3xx and 3xx+2xx DANE rollover schemes;
- Ignore PKIX TLSA records for email test;
- Make X-Frame-Options optional and no longer consider ALLOW-FROM as sufficiently secure.
-
Bugfixes:
- Detect more ciphers that are available only with the modern openssl library;
- Better exception handling for untrusted certificate in OCSP check;
- Better exception handling for invalid IDNs.