National Security Agency Urges System Administrators to Replace Vulnerable and Obsolete TLS Protocols
The US National Security Agency (NSA) has released guidelines directing system administrators to replace insecure and vulnerable Transport Layer Security (TLS) protocol instances. The agency considers older versions of TLS (1.0 and 1.1) to be obsolete, highly insecure, and vulnerable to abuse, and advises that companies use newer versions (TLS 1.2 or TLS 1.3) instead.
Along with its precursor, Secure Sockets Layer (SSL), were developed as a protocol to provide a private, secure channel between servers and clients to communicate. However, in recent years, various new attacks against the TLS protocols and the algorithms it uses have been discovered, notably Heartbleed and POODLE, thus rendering the older versions of the protocol insecure and vulnerable to further exploit.
In a guidance released earlier this week, the NSA claims that “[t]he standards and most products have been updated, but implementations have not kept up. Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries. As a result, all systems should avoid using obsolete configurations for TLS and SSL protocols.
There has already been a collective industry push for updating TLS protocols, with some of the biggest industry standards bodies and regulators mandating that web server operators ensure they migrate to TLS 1.2 before the end of 2020. It’s important to note that many major browsers, including Google Chrome and Mozilla Firefox, have already deprecated support for TLS 1.0 and 1.1.
Unfortunately, a study performed in March of 2020 had revealed that more than 850,000 websites still used TLS 1.0 and 1.1 protocols. Meanwhile, according to the SANS ISC in December, TLS 1.3 is supported by about one in every five HTTPS server, showing steady adoption of the newer protocol version.
The NSA’s alert, intended for the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity leaders, as well as system administrators and network security analysts, provided further guidance on how to detect and update outdated TLS versions.
Part of the NSA’s recommendations include using network monitoring systems to detect obsolete TLS versions. The NSA also provided further information about prioritization of remediation for obsolete TLS versions.
“Network monitoring devices can be configured to alert analysts to servers and/or clients that negotiate obsolete TLS or can be used to block weak TLS traffic,” according to the NSA. “The choice to alert and/or block will depend on the organization. To minimize mission impact, organizations should use a phased approach to detecting and fixing clients and servers until an acceptable number have been remediated before implementing blocking rules.”
Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi, claims that there are hundreds of thousands, and even millions, of machine identities and connections in businesses and governments that need to be updated.
“Ultimately” he writes, “the world’s economy depends on authenticating networks of computers that can communicate privately. Without these authenticated networks, transitions, trade, orders and more cannot be trusted. This is why the NSA is raising the alarm, TLS secures the Internet and older versions of the protocol should not persist.”
Sources: