NSA Recommends the Use of TLS 1.2 or TLS 1.3 as Other TLS Versions Prove Obsolete
Earlier this month, The US National Security Agency (NSA) announced in a security advisory that obsolete versions of the Transport Layer Security (TLS) should be replaced. This guidance was issued for system administrators across federal agencies such as the Department of Defense (DoD), National Security System (NSS), and Defense Industrial Base (DiB).
In the report released on January 5, they were quick to add that “Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks”
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are known as the protocol that gives encryption and privacy for authentication and data integrity between two communicating computer applications.
SSL, TLS 1.0, and TLS 1.1 have now been considered deprecated and systems still relying on these protocols for security can be exposed at any moment.
In its newly released advisory, the NSA warns that new attacks against TLS protocols are being discovered and organizations should make use of the latest security protocols (TLS 1.2 or TLS 1.3 ).
The cybersecurity agency in the US also published a list of tools to aid security experts with the task of identifying systems in their network still running on these obsolete protocols.
The NSA advisory, published on January 5, was echoed on the 19th by the agency's counterpart within the Netherlands, the Dutch National Cyber Security Center.
Delicate and significant information requires solid securities inside electronic frameworks and transmissions. Ensured transmissions utilize a private, secure channel between a server and a client to communicate. Transport Layer Security (TLS) and Secure Sockets Layer 2 (SSL 2.0) were created as conventions to make these ensured channels utilize encryption and overall authentication. Older versions of these protocols are now weak and have depleted in many already existing services and applications online.
Over time, It was discovered that new methods of attacks against TLS and its known algorithms became rampant, and for this reason, the NSA has recommended that only TLS 1.2 and TLS 1.3 should be used, rendering SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 redundant. The agency’s first step was to identify obsolete configurations still in use in government systems across the USA by highlighting clients and servers using the older TLS versions and then make test runs with old cipher codes and weak key exchange methods.
Steps for remediation have also been suggested for security experts and analysts, depending on the organization, network monitoring devices can be set up to give alerts to clients or servers that bargain obsolete TLS or want to use it to block weak TLS traffic. It is also worth mentioning that TLS is dependent on the right use of certificates. The use of compromised, weak, or revoked certificates can lead to attacks even with the protocol properly implemented. The use of this guidance will ensure that cybersecurity experts and government network owners will make informed and improved decisions to reduce their risk exposure and hinder incoming malicious threats.
The agency also added that “Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not”.
“This will also help organizations prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information. Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not,” the NSA makes mention.
Supported Protocols and Obsolete Protocols in a nutshell
- TLS 1.2 (Supported)
- TLS 1.3 (Supported)
- TLS 1.0 (Not Supported)
- TLS 1.1 (Not Supported)
- SSL v2 (Not Supported)
- SSL v3 (Not Supported)
In other similar news, the Dutch National Cyber Security Centre (NCSC) also provided an update future-proofing the TLS configurations using TLS 1.3, aimed at securing network connections.
Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.NSAThe National Security Agency is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (Wikipedia)