SoylentNews is people
SoylentNews
The TLS 1.2 Deadline is Looming, Do You Have Your Act Together?:
In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2[*] is going smoothly and where it is meeting resistance.
Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.
[...] Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.
While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.
[*] The latest version of TLS (Transport Layer Security) is 1.3; see RFC 8446.
(Score: 5, Insightful) by SomeGuy on Thursday July 16 2020, @08:44PM (13 children)
The moment everyone gets caught up to 1.3 it will be time for 1.4 then 2.0 then 2.1 gold edition, and if you don't keep up, no fucking internet access for you because your browser is more than five minutes old! To top things off these nazis will bitch at you until you do things their way. All this new stuff is sooo perfect and flawless and secure until it magically gets "cracked" then all of a sudden it's worthless, when it actually always was.
Just make it stop already.
(Score: 0) by Anonymous Coward on Thursday July 16 2020, @09:22PM (2 children)
That's when you call in an expart and let them decide whit's impooooortant. May I suggest Jack Daniel's or Jim Beam. If it's catastropic you'll need Tommy Chong.
(Score: 0) by Anonymous Coward on Friday July 17 2020, @01:11PM (1 child)
Hold up. Tommy's on-deck every day down here, we call him "Tommy the Troubleshooter", and we have a 40-minute Zoom call every day starting at 4:20.
Secondly, it's "catastrophic" not "catastropic".
(Score: 2) by Muad'Dave on Friday July 17 2020, @01:23PM
Nor is it cat-ass-trophy, but it's mighty close.
(Score: 2, Interesting) by Acabatag on Thursday July 16 2020, @10:13PM (2 children)
The important thing is that only endpoints should have access to anything about your online behavior. And that Big Data should rule over the endpoints. So only use the Chrome browser, and only navigate to Google approved sites.
(Score: 4, Informative) by mth on Friday July 17 2020, @12:16AM (1 child)
Let's Encrypt makes it easier than ever to run TLS on a small site using certbot. You can rent a VPS for less than $5 a month. Running a small independent site is not the issue. The problem with web centralization is real, but it's a problem of users not valuing their privacy and independence enough when they decide which sites and services they use.
(Score: 2) by ilsa on Friday July 17 2020, @07:59PM
While true, this is separate from the whole TLS thing, and I can sympathize with the GP. This never ending treadmill of incremental improvements is _exhausting_ to keep up with, and it feels like it's getting worse instead of better.
(Score: 2) by mth on Friday July 17 2020, @12:06AM (2 children)
The TLS 1.2 RFC is from August 2008. Security experts have been telling people to upgrade for years, but apparently a significant number of web server admins aren't listening. So I think the browser makers have been more than patient enough before pulling the plug on outdated protocols.
(Score: 2) by driverless on Friday July 17 2020, @03:10AM (1 child)
Because TLS 1.2 is so five minutes ago, the current trend is 1.3, which despite its name is a completely new protocol with almost nothing in common with the previous TLS 1.x versions past the client hello. Except that by the time we all move to 1.3, the current fashion will be 1.7, which is not really any better (or worse) than the five previous versions but will be using the latest trendy technology, which means you need to start again from scratch if you want to move to it.
(Score: 0) by Anonymous Coward on Friday July 17 2020, @02:44PM
So, are you arguing we need to give up on security or what else do you want to do about it?
(Score: 2) by mr_bad_influence on Friday July 17 2020, @01:18AM
My employer, a public university, depended on web payments for business. I was responsible for all web payments and for us to be in compliance with PCI standards TLS 1.2 was required. I've been retired for a couple years now, and implementing TLS 1.2 was one of the last things I did there before I left. Anyone in a similar position should have already upgraded.
The thing is, we always have to stay one step ahead of the competition by fixing any security issues that are always present or there won't be any confidence from folks using the web for payments.
(Score: 2) by driverless on Friday July 17 2020, @03:06AM
It was a weird sales pitch actually, "panic, panic, you need to take action now, it's almost too late, you're going to miss out" but then no link to their consulting services at the end to provide relief from the panic they've just stirred up. So why write it in the first place?
(Score: 2) by Opportunist on Friday July 17 2020, @10:21AM
Lemme guess, you're the first guy lamenting and crying how webpages are insecure when they are a victim to identity theft, right?
Security is an arms race between those that try to break into your systems and those trying to protect them. It is most likely never going to end.
But if you prefer to not join the race, that's fine by me. It actually increases the security of my system. Because crime is a business and businesses tend to go with the lowest expenses necessary to achieve the target profit. As long as there are systems that are less secure than mine and easier targets, criminals will target those systems instead of mine.
So... thank you, I guess?
(Score: 1, Flamebait) by darkfeline on Friday July 17 2020, @10:14PM
>Just make it stop already.
Might I suggest committing suicide? Maintaining existence is an endless battle. First world countries have been momentarily spoiled by their recent level of living quality, but having to fight for survival is the norm, not the other way around (COVID-19 is a friendly reminder from reality). Your immune system is fighting and learning every single moment; the day it starts faltering is the day you start succumbing to age-related immune deficiencies and diseases.
Just as attacks are being developed constantly, security and software is constantly being improved. System admins should be constantly upgrading their systems. If not, you're failing at your job and you will be figuratively killed by natural selection. If that seems like too much work, maybe you should take a look at some of the container hype and understand what problems it's trying to solve.
Join the SDF Public Access UNIX System today!