Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

NSA Issues Guidance on Replacing Obsolete TLS Versions

The National Security Agency (NSA) this week issued guidance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security (TLS) protocol.

The National Security Agency (NSA) this week issued guidance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security (TLS) protocol.

TLS and Secure Sockets Layer (SSL) were designed to ensure the security and privacy of communication channels between clients and servers through encryption and authentication.

The protocols encrypt data in traffic, but older versions of these protocols have proven insecure, weakening data protection. Furthermore, new attacks against them have been discovered, further proving their inefficiency.

While older versions of the security protocols, namely SSL, TLS 1.0, and TLS1.1, have been deprecated in many existing online services and applications, there still are systems that rely on these insecure protocols, thus exposing entire networks.

“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS1.1 not be used,” the agency says.

In the newly released guidance, the NSA provides details on how network administrators and security analysts can identify and eliminate obsolete TLS configurations in their environments, including protocol versions, cipher suites, and key exchange methods.

“This will also help organizations prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information. Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not,” the NSA notes.

The first step, the agency notes, is to detect obsolete TLS configurations still in use in US government systems, through identifying clients and servers using older TLS versions and devices using obsolete cipher suites and/or weak key exchange methods.

As remediation steps, admins should configure monitoring devices to alert and/or block weak TLS traffic. However, a phased approach to detecting and fixing clients is recommended, to minimize impact.

“By using the guidance, government network owners can make informed decisions to enhance their cybersecurity posture. Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors,” the NSA notes.

Related: New Raccoon Attack Can Allow Decryption of TLS Connections

Related: Microsoft Enables TLS 1.3 by Default in Windows 10 Insider Preview

Related: Firefox 74 Will Disable TLS 1.0 and TLS 1.1 by Default

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.