Secure by default - the case of TLS
Martin Stanek
TL;DR
This paper evaluates the default TLS configurations across multiple servers, highlighting the need for broader adoption of secure defaults and caution among administrators.
Contribution
It provides empirical evidence that current default TLS settings are often insecure, advocating for the 'secure by default' principle in software configuration.
Findings
Many default TLS configurations are insecure
System administrators cannot rely solely on defaults for security
Broader adoption of secure defaults is recommended
Abstract
Default configuration of various software applications often neglects security objectives. We tested the default configuration of TLS in dozen web and application servers. The results show that "secure by default" principle should be adopted more broadly by developers and package maintainers. In addition, system administrators cannot rely blindly on default security options.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsIPv6, Mobility, Handover, Networks, Security · Cryptography and Data Security · Advanced Authentication Protocols Security