Encryption in Transit (TLS)

Why it matters

Without enforced TLS 1.2+, attackers can intercept unencrypted network traffic to steal API credentials, session tokens, or customer data during transmission. Weak TLS versions (1.0, 1.1) or disabled cipher suites create exploitable cryptographic weaknesses that compromise the confidentiality of all data in motion, making compliance with CC6.7 impossible.

Evidence to collect

• Load balancer/API gateway configuration showing TLS 1.2+ enforcement and disabled legacy protocols (e.g., nginx ssl_protocols directive, AWS ALB security policy)
• testssl.sh or SSL Labs scan report for all public endpoints showing no TLS 1.0, 1.1, or weak ciphers
• HSTS header response captured from web application (e.g., curl -I https://app.example.com)
• mTLS certificate chain validation log or service mesh policy (e.g., Istio PeerAuthentication resource) showing mutual TLS enforced

Testing procedure

Auditor uses nmap or testssl.sh to scan all externally-facing endpoints and verifies only TLS 1.2 and 1.3 are enabled; confirms TLS 1.0/1.1 and weak ciphers are disabled. For internal services, auditor verifies mTLS is active by capturing a service-to-service request and checking the client certificate in the TLS handshake. Auditor reviews load balancer and API gateway configurations to confirm HSTS headers (min-age 31536000) are present on all web endpoints.

Common gotchas