Automating Compliance for Improving TLS Security Postures: An Assessment of Public Administration Endpoints

Riccardo Germenia, Riccardo Germenia, Salvatore Manfredi, Matteo Rizzi, Matteo Rizzi, Giada Sciarretta, Alessandro Tomasi, Silvio Ranise, Silvio Ranise

2024

Abstract

System administrators tasked with configuring TLS servers must make numerous decisions - e.g., selecting the appropriate ciphers, signature algorithms, and TLS extensions - and it may not be obvious, even to security experts, which decisions may expose them to attacks. To address this issue, raise awareness, and establish a security threshold, numerous cybersecurity agencies around the world issue technical guidelines for the use and configuration of TLS. In this paper we carry out an assessment of the TLS security posture of European and US based endpoints in relation to their respective national cybersecurity guidelines. Our results show that a surprisingly high amount of the analyzed websites have a low compliance level when compared to their respective national guideline. We attempt to identify potential causes by presenting a series of observations that may underlie the lack of compliance. The analysis is conducted by employing a TLS analyzer we developed to automate the compliance analysis and the application of the suggested changes, assisting system administrators during this important yet complex task. Our tool and the dataset containing the machine-readable requirements for automating conformity assessment are publicly available, thus making the process auditable and the assets extensible.

Download


Paper Citation


in Harvard Style

Germenia R., Manfredi S., Rizzi M., Sciarretta G., Tomasi A. and Ranise S. (2024). Automating Compliance for Improving TLS Security Postures: An Assessment of Public Administration Endpoints. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 450-458. DOI: 10.5220/0012764700003767


in Bibtex Style

@conference{secrypt24,
author={Riccardo Germenia and Salvatore Manfredi and Matteo Rizzi and Giada Sciarretta and Alessandro Tomasi and Silvio Ranise},
title={Automating Compliance for Improving TLS Security Postures: An Assessment of Public Administration Endpoints},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={450-458},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012764700003767},
isbn={978-989-758-709-2},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - Automating Compliance for Improving TLS Security Postures: An Assessment of Public Administration Endpoints
SN - 978-989-758-709-2
AU - Germenia R.
AU - Manfredi S.
AU - Rizzi M.
AU - Sciarretta G.
AU - Tomasi A.
AU - Ranise S.
PY - 2024
SP - 450
EP - 458
DO - 10.5220/0012764700003767
PB - SciTePress