NSA urges system administrators to quickly upgrade obsolete TLS protocols
The National Security Agency (NSA) has released a Cybersecurity Information Sheet at the beginning of the month detailing how to detect and replace out-of-date encryption protocol implementations.
The information sheet titled “Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations” instructs the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators on how to detect and fix unauthorized or out-of-date TLS protocols with ones that fulfill the requirements and fully meet the current standards.
The Transport Layer Security (TLS) is the successor to the SSL (Secure Socket Layer) both of which are cryptographic protocols designed to provide communications security over a computer network
“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used,” the agency wrote. “Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.”
The guide comes after a report by Zscaler, a cloud-based information security platform, showed a 260% increase in attacks on SSL/TLS-encrypted channels in the first 9 months of 2020, with the healthcare sector being the leading target for these SSL-based attacks.
The NSA advisory, which was published on January 5, was later echoed by an alert (PDF) issued by the Dutch National Cyber Security Center, which also strongly recommended that government agencies and private companies from the Netherlands should switch to TLS 1.3 as part of a “future-proof” configuration approach.
However, even if TLS 1.2 and TLS 1.3 are deployed, the NSA still warns that configuring the protocols with weak cryptographic parameters and cipher suites could prove to be just as risky.
“Especially weak encryption algorithms in TLS 1.2 are designated as NULL, RC2, RC4, DES, IDEA, and TDES/3DES; cipher suites using these algorithms should not be used,” the agency stated. “TLS 1.3 removes these cipher suites, but implementations that support both TLS 1.3 and TLS 1.2 should be checked for obsolete cipher suites.”
Support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols was dropped by the 4 biggest browsers Firefox, Safari, Chrome, and Internet Explorer in 2020, due to security reasons and having been made obsolete by the later 1.2 and 1.3 protocols.
Furthermore, the NSA has even published a list of tools on GitHub, a code hosting platform for version control and collaboration, in order to facilitate the identification of systems that are still using obsolete TLS protocol configurations. Thus, system administrators can receive help with their internal networks.
“By using the following guidance, network owners can make informed decisions to enhance their cybersecurity posture,” according to the guide. “Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors.”
Security firm Netcraft has reported back in March 2020 that more than 850.000 websites were still using TLS 1.0 and TLS 1.1, but fortunately, that number has since gone down.