internetstandards · mxsasha · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/.well-known/security.txt b/.well-known/security.txt
@@ -1,6 +1,8 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
+Hash: SHA512
+
 # Canonical URLs
 Canonical: https://internet.nl/.well-known/security.txt
 Canonical: https://www.internet.nl/.well-known/security.txt
@@ -28,20 +30,21 @@ Encryption: https://internet.nl/static/question@internet.nl_0x45028563.asc
 # Our security policy
 Policy: https://internet.nl/disclosure/
 
-Expires: 2026-09-25T00:00:00Z
+Expires: 2027-04-10T00:00:00Z
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAEBCgAdFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmjWfAcACgkQ2JThX0UC
-hWNptw/8ChAXXJcowrTy5y0xYw2YPx0a26M/bTBIZ2TsH0ewmhOHJEOXK9S1V6+I
-oszXGBmm9fUDEXlMC7+f1QfXWXt8Xh1OVd9HOTqVvQ4lmb2XbefGuR6hFuHaveEx
-Ac5nVVpkxwUzBJOQ0idK3bA+cLdosx6JEMPQoKWVPceaTake3TckQ22TEHBRro5z
-i7FAdEfqCjMT1r682cjNa95Q2gj7To06SmU4f/+0O2sjA64FVpOGRjC/Ka5YolZ6
-xLnnHQGz3FuQnKKVSF29l2RnbtNiL9Arr9xUekY8RoO7c7t7/Hwslp/lyYBHWHUZ
-3eeh4bkLgbfLICsjFWhQjU5uHp92ObMF+2N55d4C2oZp+o5C6BfdXW5nACLBreOV
-AjIUpzn59qpRPwV8dni6qzE0+BodIp6yAzBynXoCFoc7+mRK4Njtsr5Ci8Mz7Y2R
-7iBkor6xHmEssyJi2tCWSuZlQUcKx/JKRAKZI3yIOQab7lqfB8cLXogaEgtpAt1U
-8miL7wxKONyJM5bYOcf7UmpQutvRIWB3ZKtw/b0V8i/HCl7IzpyRASgwGbi93cqD
-EQw6/W5v4AtqoktNdxvWKyi+3NORfBdYHkCnLDGWtMMJpbW17iD4RVg866ode0Sv
-ukBLiBbSZTIJjv9294oKjRgKnZgy9PZ1+6bxLjmBl8k9XQJrQ18=
-=LFEm
+iQJiBAEBCgBMFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmniJ8wbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzEhx2cmFhZ0BpbnRlcm5ldC5ubAAKCRDYlOFfRQKF
+YzrhD/9e3YMNFNWG4mviKceBABcJzEnuIqzC98f4dv+1rE4NCfrSJBWSFdqJqtsJ
+q5C34/Ny93PpuzhKB49FWZaASarmf7sBvWkwIVnOGY8BLLUT64XxPAOB8GCa2Lzl
+92KRWm3idBvsP4ovh/rdwuEl/pTuCFj4fUNGeK1gJdnE/b9hn2Hc8ozlNXPINYhE
+mcfZrw8Ez2XrJ3iJZ2yvRyui/btJGo0b912eb94g0uI1bQszOt7hq3Ah8I4DagHK
+yNPrJ/en9M4hyZepz/4I3Qzxtwrv4SloMwcF1fYn7ZyWY47OlQILrqauGzzLAXH4
+UT8c09LKEapc5ISNrq5MYnn6jMSIR78rLkcd37KVpeU9wKD/anDbSfa3++pT5M+A
+mYhTNh8CyU9FZD/f3Ux7R6RTPPCytiAocas5HC5NmPhc8vEx0TZ2J2l8uZorBwri
+46A2+4AaVCIo/QYl4yWpjt/734Om4wegmOdUTMMW6o39sxQLvjGs0JfwwhTbUdLc
+OeYRV4WOQRexxOxEQi28uLt0UOp/kuBHVmvMKSUQgxfykHMn7lIZgfuiFavNge28
+ofXtxLP+0vRR2oJusb47yIAerLUUQmPt12pqI3awn2qgHOpb8zmrBMS3mC0j1+VI
+EtSsBnMpBqJBqCzG2odFkSy/7cip8ybwchSVfJQ+Zrmf80bcUQ==
+=zDK4
 -----END PGP SIGNATURE-----
diff --git a/docker/integration-tests/www/well-known/security.txt b/docker/integration-tests/www/well-known/security.txt
@@ -1,6 +1,8 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
+Hash: SHA512
+
 # Canonical URLs
 Canonical: https://internet.nl/.well-known/security.txt
 Canonical: https://www.internet.nl/.well-known/security.txt
@@ -28,20 +30,21 @@ Encryption: https://internet.nl/static/question@internet.nl_0x45028563.asc
 # Our security policy
 Policy: https://internet.nl/disclosure/
 
-Expires: 2026-09-25T00:00:00Z
+Expires: 2027-04-10T00:00:00Z
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAEBCgAdFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmjWfAcACgkQ2JThX0UC
-hWNptw/8ChAXXJcowrTy5y0xYw2YPx0a26M/bTBIZ2TsH0ewmhOHJEOXK9S1V6+I
-oszXGBmm9fUDEXlMC7+f1QfXWXt8Xh1OVd9HOTqVvQ4lmb2XbefGuR6hFuHaveEx
-Ac5nVVpkxwUzBJOQ0idK3bA+cLdosx6JEMPQoKWVPceaTake3TckQ22TEHBRro5z
-i7FAdEfqCjMT1r682cjNa95Q2gj7To06SmU4f/+0O2sjA64FVpOGRjC/Ka5YolZ6
-xLnnHQGz3FuQnKKVSF29l2RnbtNiL9Arr9xUekY8RoO7c7t7/Hwslp/lyYBHWHUZ
-3eeh4bkLgbfLICsjFWhQjU5uHp92ObMF+2N55d4C2oZp+o5C6BfdXW5nACLBreOV
-AjIUpzn59qpRPwV8dni6qzE0+BodIp6yAzBynXoCFoc7+mRK4Njtsr5Ci8Mz7Y2R
-7iBkor6xHmEssyJi2tCWSuZlQUcKx/JKRAKZI3yIOQab7lqfB8cLXogaEgtpAt1U
-8miL7wxKONyJM5bYOcf7UmpQutvRIWB3ZKtw/b0V8i/HCl7IzpyRASgwGbi93cqD
-EQw6/W5v4AtqoktNdxvWKyi+3NORfBdYHkCnLDGWtMMJpbW17iD4RVg866ode0Sv
-ukBLiBbSZTIJjv9294oKjRgKnZgy9PZ1+6bxLjmBl8k9XQJrQ18=
-=LFEm
+iQJiBAEBCgBMFiEErLeIKUx+ErrpIoxg2JThX0UChWMFAmniJ8wbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzEhx2cmFhZ0BpbnRlcm5ldC5ubAAKCRDYlOFfRQKF
+YzrhD/9e3YMNFNWG4mviKceBABcJzEnuIqzC98f4dv+1rE4NCfrSJBWSFdqJqtsJ
+q5C34/Ny93PpuzhKB49FWZaASarmf7sBvWkwIVnOGY8BLLUT64XxPAOB8GCa2Lzl
+92KRWm3idBvsP4ovh/rdwuEl/pTuCFj4fUNGeK1gJdnE/b9hn2Hc8ozlNXPINYhE
+mcfZrw8Ez2XrJ3iJZ2yvRyui/btJGo0b912eb94g0uI1bQszOt7hq3Ah8I4DagHK
+yNPrJ/en9M4hyZepz/4I3Qzxtwrv4SloMwcF1fYn7ZyWY47OlQILrqauGzzLAXH4
+UT8c09LKEapc5ISNrq5MYnn6jMSIR78rLkcd37KVpeU9wKD/anDbSfa3++pT5M+A
+mYhTNh8CyU9FZD/f3Ux7R6RTPPCytiAocas5HC5NmPhc8vEx0TZ2J2l8uZorBwri
+46A2+4AaVCIo/QYl4yWpjt/734Om4wegmOdUTMMW6o39sxQLvjGs0JfwwhTbUdLc
+OeYRV4WOQRexxOxEQi28uLt0UOp/kuBHVmvMKSUQgxfykHMn7lIZgfuiFavNge28
+ofXtxLP+0vRR2oJusb47yIAerLUUQmPt12pqI3awn2qgHOpb8zmrBMS3mC0j1+VI
+EtSsBnMpBqJBqCzG2odFkSy/7cip8ybwchSVfJQ+Zrmf80bcUQ==
+=zDK4
 -----END PGP SIGNATURE-----
diff --git a/remote_data/certs/ca-bundle.crt b/remote_data/certs/ca-bundle.crt
diff --git a/remote_data/certs/certdata.txt b/remote_data/certs/certdata.txt
diff --git a/remote_data/certs/root_fingerprints b/remote_data/certs/root_fingerprints
@@ -1,13 +1,6 @@
-B1BC968BD4F49D622AA89A81F2150152A41D829C
-503006091D97D4F5AE39F7CBE7927D7D652D3431
-D4DE20D05E66FC53FE1A50882C78DB2852CAE474
 B31EB1B740E36C8402DADC37D44DF5D4674952F9
-D1EB23A46D17D68FD92564C2F1F1601764D8E349
 CA3AFBCF1240364B44B216208880483919937CF7
 1F4914F7D874951DDDAE02C0BEFD3A2D82755185
-B80186D1EB9C86A54104CF3054F34C52B7E558C6
-2796BAE63F1801E277261BA0D77770028F20EEE4
-AD7E1C28B064EF8F6003402014C3D0E3370EB58A
 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
 A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
@@ -135,10 +128,6 @@ EC2C834072AF269510FF0EF203EE3170F6789DCA
 18523B0D0637E4D63ADF23E498FB5B16FB867448
 63CFB6C1272B56E4888E1C239AB62E814724C3C7
 5773A5615D80B2E6AC3882FC680731AC9FB5925A
-0786C0D8DD8EC080980698D0587AEFDEA6CCA25D
-3C3FEF570FFE6593869EA0FEB0F6ED8ED113C7E5
-6D0A5FF7B42306B485B3B79764FCAC75F533F293
-EAB0E2521B89934C1168F2D89AAC224CA38A57AE
 C0F896C5A93B01062107DA184248BCE99D88D5EC
 54D3ACB3BD5756F6859DCEE5C321E2D4AD83D093
 A8311174A614150DCA77DD0EE40C5D58FCA072A5
@@ -147,4 +136,10 @@ F6B11C1A8338E97BDBB3A8C83324E02D9C7F2666
 DD50C0F779B3642E74A2B89D9FD340DDBBF0F24F
 CBBA83C8C15A5DF1F9736FCAD7EF2813064A077D
 2DB070EE7194AF696817DB79CE589FA06B96F787
+B5EC39F3A16637AEC3059457E2BE11BEB7A17F36
+A54650C562EA959A1AA7046F1758C729533D03FA
 A55BD8476C8F19F74CF46D6BB6C2798222DF548B
+81340ABE4CCDCECCE77DCC8AD457E245A0775DCE
+3BF68B09AE2A927BBAE38D3F1195D9E6440C45E2
+F700342594886831E434873F70FE86B3869FF06E
+6F9AD5D5DFE82CEBBE3707EE4F4F52582941D1FE
diff --git a/remote_data/dns/root.key b/remote_data/dns/root.key
@@ -1,10 +1,10 @@
 ; autotrust trust anchor file
 ;;id: . 1
-;;last_queried: 1748347868 ;;Tue May 27 14:11:08 2025
-;;last_success: 1748347868 ;;Tue May 27 14:11:08 2025
-;;next_probe_time: 1748388858 ;;Wed May 28 01:34:18 2025
+;;last_queried: 1776426131 ;;Fri Apr 17 11:42:11 2026
+;;last_success: 1776426131 ;;Fri Apr 17 11:42:11 2026
+;;next_probe_time: 1776465036 ;;Fri Apr 17 22:30:36 2026
 ;;query_failed: 0
 ;;query_interval: 43200
 ;;retry_time: 8640
-.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=1748347868 ;;Tue May 27 14:11:08 2025
-.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1519657238 ;;Mon Feb 26 16:00:38 2018
+.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1519657238 ;;Mon Feb 26 15:00:38 2018
+.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1776426131 ;;Fri Apr 17 11:42:11 2026
diff --git a/remote_data/macs/padded_macs.json b/remote_data/macs/padded_macs.json
diff --git a/translations/en/main.po b/translations/en/main.po
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2015-02-16 23:27+0100\n"
-"PO-Revision-Date: 2026-04-15 14:31:13.464249\n"
+"PO-Revision-Date: 2026-04-17 12:43:42.086748\n"
 "Last-Translator: \n"
 "Language-Team: \n"
 "Language: \n"
@@ -1424,6 +1424,7 @@ msgstr ""
 "* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`\n"
 "\n"
 "Phase out [TLS 1.2]:\n"
+"\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CCM`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`\n"
@@ -3279,6 +3280,7 @@ msgstr ""
 "* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`\n"
 "\n"
 "Phase out [TLS 1.2]:\n"
+"\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CCM`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`\n"

diff --git a/translations/en/news.po b/translations/en/news.po
@@ -807,17 +807,24 @@ msgstr "Internet.nl adds CAA test and announces TLS test changes"
 msgid "article release-1.11 body"
 msgstr ""
 "## What is TLS?\n"
+"The open standard Transport Layer Security (TLS) can be used to secure connections between systems. This includes, for example, the connection between your browser and the server hosting the website you are visiting. It can also be used to secure the connection between mailservers. TLS ensures that third parties cannot simply intercept the data being transmitted over the network.\n"
 "\n"
 "## Why is securely configured TLS important?\n"
+"TLS has many configuration options. Some of these options contain vulnerabilities that weaken security. It is therefore important to configure TLS to avoid those options. On the other hand, compatibility with other systems must also be taken into account. Certain options may be robust, but are not yet supported by all other systems, which could hinder interoperability.\n"
 "\n"
 "## NCSC's latest TLS guidelines\n"
+"In mid 2025, the NCSC-NL published a major update of the [\"ICT Security Guidelines for Transport Layer Security (TLS)\"](https://www.ncsc.nl/en/transport-layer-security/ICT-beveiligingsrichtlijnen-voor-TLS). These guidelines help to configure TLS securely while ensuring compatibility with other systems. They are based on international best practices such as [IETF BCP 195](https://www.rfc-editor.org/info/bcp195). This update is also expected to be incorporated into the [\"Decree on secure connections to government websites and web applications\"](https://zoek.officielebekendmakingen.nl/stb-2023-179.html) (in Dutch).\n"
 "\n"
-"## Other improvements in this release\n"
+"## Update in Internet.nl\n"
+"From today, you can use [Internet.nl](https://internet.nl) to test whether the TLS configuration of your web server or your incoming mail server is compliant with these updated TLS guidelines. NCSC-NL recognises four different security levels. Settings with a security level of 'Good' and 'Sufficient' pass the Internet.nl test. In the case of 'To be phased out' settings, a warning will be displayed. 'Insufficient' settings result in failure of the test and also lead to a lower score.\n"
 "\n"
-"## Roadmap next release\n"
+"The new version is now available on the Internet.nl website, where you can test individual domain names. It is expected that the new version will also become available on the [batch API and web-based dashboard](https://en.internet.nl/faqs/batch-and-dashboard/) within a few weeks.\n"
+"\n"
+"## Post-quantum cryptography\n"
+"The TLS guidelines also address post-quantum cryptography. Quantum-secure cryptographic algorithms have a security rating of 'Good'. Internet.nl does not currently show whether a server supports one or more of these algorithms. This is, however, on the roadmap and will be included in a future release.\n"
 "\n"
 "## About Internet.nl\n"
-"The test tool [Internet.nl](https://internet.nl) is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of Internet.nl is available under an open source license. \n"
+"The test tool [Internet.nl](https://internet.nl) is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The [code of Internet.nl](https://github.com/internetstandards/Internet.nl) is available under an open source license. \n"
 "\n"
 "---\n"
 "\n"
@@ -826,7 +833,7 @@ msgstr ""
 "### TLS updates for NCSC 2025 guidelines\n"
 "\n"
 "All tests were updated to match the\n"
-"[2025-05 version of the NCSC TLS guidelines](https://www.ncsc.nl/en/transport-layer-security-tls/security-guidelines-for-transport-layer-security-2025-05).\n"
+"[2025-05 version of the NCSC TLS guidelines](https://www.ncsc.nl/en/transport-layer-security/ICT-beveiligingsrichtlijnen-voor-TLS).\n"
 "Most significant changes:\n"
 "\n"
 "- The list of good/sufficient/phase out/insufficient TLS versions, TLS authentication, curves, hashes, \n"
@@ -893,7 +900,7 @@ msgstr ""
 "As of today, you can use Internet.nl to check whether the secure connection "
 "for your website or email is compliant with the latest TLS guidelines from "
 "NCSC-NL. This means that websites and email servers that previously passed "
-"the test may now still have areas for improvement."
+"the test may now show new areas for improvement."
 
 msgid "article release-1.11 title"
 msgstr "Fully updated TLS test in new version of Internet.nl"

diff --git a/translations/nl/main.po b/translations/nl/main.po
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2015-02-16 23:27+0100\n"
-"PO-Revision-Date: 2026-04-15 14:31:13.372274\n"
+"PO-Revision-Date: 2026-04-17 12:43:42.000763\n"
 "Last-Translator: \n"
 "Language-Team: \n"
 "Language: \n"
@@ -1450,6 +1450,7 @@ msgstr ""
 "\n"
 "\n"
 "Uit te faseren [TLS 1.2]:\n"
+"\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CCM`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`\n"
@@ -3308,6 +3309,7 @@ msgstr ""
 "\n"
 "\n"
 "Uit te faseren [TLS 1.2]:\n"
+"\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_CCM`\n"
 "* `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`\n"