Time to eliminate obsolete TLS protocol configurations – NSA

Monday, February 1, 2021

The National Security Agency (NSA) recommends replacing obsolete protocol configurations with ones that utilise strong encryption and authentication to protect sensitive information. Over time, new attacks against Transport Layer Security (TLS) and the algorithms it uses have been discovered. Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.

NSA recommends that only TLS 1.2 or TLS 1.3 be used;
and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 should not be used

The main message is to make sure you review the versions of TLS currently used on your servers and update configurations to ensure that the newly discovered attacks are not applicable to your infrastructure.

The National Cyber Security Centre (NCSC) of The Netherlands issued a similar recommendation. The NCSC is working to increase the ability of Dutch society to defend itself in the digital domain.

These guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). You can find the IT Security Guidelines by clicking on the following link: https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1

NSA also offers a repository that lists a number of tools, SNORT signatures, and web server configurations to help network owners detect and remediate the use of obsolete TLS: https://github.com/nsacyber/Mitigating-Obsolete-TLS

For the original NSA paper, containing extensive background information regarding this recommendation, please visit the following link: https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF

Being committed to internet security, we at SSLreminder are happy to help with advice regarding updating your SSL/TLS configuration.

Feel free to reach out to us at contact@sslreminder.pro and we’ll get back to you as soon as possible.

HTTPS-only mode in Firefox 83