Bulletproof TLS Guide - 1.5 Validate and Monitor

1.5 Validate and Monitor

Configuring TLS, especially for use on web sites, has become increasingly complex in recent years. There are so many options to choose that you're virtually guaranteed to get something wrong when you first try. Moreover, things change—sometimes accidentally, sometimes silently through software upgrades. For that reason, we recommend that you find a reliable configuration assessment tool that you trust. Use it periodically to ensure that you stay secure.

Several modern browser technologies come with reporting facilities, which can give you real-time insight into problems that your users are experiencing. CSP supports reporting and even a report-only mode without policy enforcement. A more recent technology, called Network Error Logging (NEL), provides reporting for a wide variety of network problems, including TLS and PKI.¹

There is also the Expect-CT HTTP response header, which was designed to support early opt-in into CT before this technology became de facto required. With Expect-CT reporting, it’s possible to get a full certificate chain that’s not CT compliant. Although this feature is very useful, it is most likely that Expect-CT will be deprecated, now that pre-CT public certificates have all expired.