Ensure TLS Connections do not use Anonymous DH
Do not use Anonymous Diffie-Hellman for secure connections to prevent security vulnerabilities.
Plain language
This control is about making sure that when your systems talk to each other securely over the internet, they don't use a risky shortcut called Anonymous Diffie-Hellman (DH). If this shortcut is used, it leaves the door open for cybercriminals to sneak in and eavesdrop on your private information. Imagine hiring a security guard who doesn't ask your name or ID; that's what Anonymous DH effectively does.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
Anonymous DH is not used for TLS connections.
Why it matters
Using Anonymous DH exposes TLS sessions to man-in-the-middle attacks, enabling interception or alteration of sensitive data in transit.
Operational notes
Audit TLS configs to disable ADH/anon cipher suites (e.g., ADH-*) and confirm servers only offer authenticated DHE/ECDHE suites after changes.
Implementation tips
- IT team should review the current transport security settings: They need to check the systems and servers to ensure Anonymous DH is not used. This involves looking into the configuration files of each system to confirm that stronger methods, like encrypted certificates, are used instead.
- System owner should regularly engage cybersecurity consultants: Hire experts periodically to check that your systems comply with modern security standards, particularly avoiding Anonymous DH. This can be done by scheduling annual external security audits and reviewing the findings.
- Management should ensure IT staff are up-to-date on best practices: Organise regular training sessions to educate your team on the latest in secure communications protocols. By attending webinars and workshops, the IT team can stay informed on regulatory changes and new risks.
- Procurement should involve IT in purchasing decisions: When buying new hardware or software, get the IT team to review security configurations to ensure they do not employ Anonymous DH by default. This involves a pre-purchase checklist review of security standards and consultant vetting.
- Leadership should establish a clear security policy: A policy should be documented stating Anonymous DH is not allowed. This includes creating a clear employee handbook or guideline that outlines the secure methods each team must use to protect communications.
Audit / evidence tips
-
Askthe transport security configuration documentation: Request detailed setup guides or records from IT showing what protocols are enabled
Goodincludes detailed configuration files indicating use of secure protocols only
-
Goodwill show only authorised protocols such as HTTPS or TLS with certificates being used
-
Asktraining records regarding protocol use: Request evidence of staff training on secure protocols
Goodincludes documentation of recent IT training that included avoidance of Anonymous DH
-
Askreports from recent security evaluations focusing on communication protocol checks
Goodoutcome shows reports where experts confirm secure practices
-
Askpolicy documentation: Obtain the company’s security policy documents that should mention the prohibition of Anonymous DH
Goodis a clear policy statement forbidding Anonymous DH in secure communications
Cross-framework mappings
How ISM-1373 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1373 requires that TLS connections are configured so Anonymous Diffie-Hellman (ADH) cipher suites are not used | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.