US NSA urged Sysadmins to Abandon Outdated Versions of TLS

The US National Security Agency issued a security notice advising system administrators inside and outside of federal agencies to stop using legacy versions of the TLS protocol. More specifically, the NSA has recommended that you no longer use SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and switch to TLS 1.2 or TLS 1.3.

"Using outdated encryption gives a false sense of security, as sensitive data appears to be protected when in reality it is not," the notice said.

The NSA has also warned of the dangers of using TLS 1.2 and TLS 1.3 with unreliable encryption options and cipher suites. Particularly weak encryption algorithms in TLS 1.2 are referred to as NULL, RC2, RC4, DES, IDEA, and TDES / 3DES, so cipher suites that use these algorithms cannot be used. TLS 1.3 no longer has these cipher suites, but implementations that support TLS 1.2 and TLS 1.3 must be checked for their presence.

The NSA has posted on its GitHub profile a list of tools that system administrators can use to identify systems on their internal networks that are still using legacy TLS configurations.

Following the NSA, a similar security notice was issued by the National Cyber ​​Security Center of the Netherlands. He also recommended that government and private organizations migrate to TLS 1.3.

In the middle of last year, the most popular browsers dropped support for TLS 1.0 and TLS 1.1 for security reasons. According to information security company Netcraft, in March 2020, about 850 thousand sites were still using TLS 1.0 and TLS 1.1 to encrypt their HTTPS traffic.

Previous Post Next Post