SoylentNews is people
SoylentNews
The TLS 1.2 Deadline is Looming, Do You Have Your Act Together?:
In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2[*] is going smoothly and where it is meeting resistance.
Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.
[...] Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.
While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.
[*] The latest version of TLS (Transport Layer Security) is 1.3; see RFC 8446.
(Score: 2) by mth on Friday July 17 2020, @12:06AM (2 children)
The TLS 1.2 RFC is from August 2008. Security experts have been telling people to upgrade for years, but apparently a significant number of web server admins aren't listening. So I think the browser makers have been more than patient enough before pulling the plug on outdated protocols.
(Score: 2) by driverless on Friday July 17 2020, @03:10AM (1 child)
Because TLS 1.2 is so five minutes ago, the current trend is 1.3, which despite its name is a completely new protocol with almost nothing in common with the previous TLS 1.x versions past the client hello. Except that by the time we all move to 1.3, the current fashion will be 1.7, which is not really any better (or worse) than the five previous versions but will be using the latest trendy technology, which means you need to start again from scratch if you want to move to it.
(Score: 0) by Anonymous Coward on Friday July 17 2020, @02:44PM
So, are you arguing we need to give up on security or what else do you want to do about it?