Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

QA Fes 2016. Per Thorsheim. Setting the standard: Website security for the Norwegian government


Published on

In May 2016 Per Thorsheim assisted the Norwegian government in developing a recommendation on how all government organisations should deploy HTTPS by default for all websites. These recommendations includes security settings to minimize risk of illegal Man-in-the-Middle attack, including eavesdropping and interfering with data.

Ordered by the department of justice, this will be the standard for all government organisations in Norway, and will also act as a strong recommendation for the private sector.

This standard will have a massive impact for the increased security & privacy for all citizens in Norway, as well as any visitors to government websites of Norway. This is also something we would like to for other countries to do as well.

Published in: Education
  • Be the first to comment

QA Fes 2016. Per Thorsheim. Setting the standard: Website security for the Norwegian government

  1. 1. Setting the Standard: Website Security for the Norwegian Government Per Thorsheim Twitter: @thorsheim
  2. 2. Norwegian newspapers, Nov 15, 2015.
  3. 3. Newspapers in Ukraine, September 29, 2016
  4. 4. June 8, 2015:
  5. 5.
  6. 6.
  7. 7. Table of Contents #1 1. Introduction 2. Background 3. Recommendation from NSM 4. Description of HTTPS a. What it is b. What it does c. What it doesn’t do 
  8. 8. Table of Contents #2 5. Recommended implementation a) Use the newest version of TLS (currently TLSv1.2) b) Use strong cipher suites, with Forward Secrecy & Authenticated Encryption c) Use certified implementations, if possible d) Use trusted Certificate Authorities, if possible a) With Certificate Transparency, if possible e) Use HTTP Strict Transport Policy (HSTS), if possible f) Use Certificate Pinning, if possible g) Use hardware key protection, if possible
  9. 9. Table of Contents #3 6. Possible wins & consequences of implementation a) Increased trust in the service provided b) Use of outdated hardware and software c) Requirement for HTTPS usage from international actors (USA, Germany) d) Potential implementation & maintenance costs e) Multiple provider mixed content issues f) Support for implementation g) Performance impact h) Consequences for other relevant technologies: a) HTTP/2, security headers, DNSSEC
  10. 10. LOOKING FOR VOLUNTEERS! This should be done in Ukraine as well! (Contact me, and I will try to help you.)
  11. 11. +47 90 99 92 59 (Signal, Whatsapp) @thorsheim QUESTIONS?