Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday July 16 2020, @08:10PM   Printer-friendly

The TLS 1.2 Deadline is Looming, Do You Have Your Act Together?:

In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2[*] is going smoothly and where it is meeting resistance.

Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.

[...] Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.

While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.

[*] The latest version of TLS (Transport Layer Security) is 1.3; see RFC 8446.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday July 17 2020, @01:30AM (3 children)

    by Anonymous Coward on Friday July 17 2020, @01:30AM (#1022688)

    Test your site from https://www.ssllabs.com/ssltest/ [ssllabs.com]

    It will let you know if your TLS is up to snuff and lots of other info.

    While TLS 1.2 and above are likely supported by most web servers. But not everyone has disabled older versions (TLS 1.0/1.1).

    Check it out.

  • (Score: 0, Disagree) by Anonymous Coward on Friday July 17 2020, @07:18AM (2 children)

    by Anonymous Coward on Friday July 17 2020, @07:18AM (#1022801)

    While TLS 1.2 and above are likely supported by most web servers. But not everyone has disabled older versions (TLS 1.0/1.1).

    For practically all websites disabling TLS 1.0 and/or 1.1 on the server side is a pretty silly thing to do. The protocol has version negotiation (and the browser people have fixed their silly problems in this regard) so if you and the client support higher versions that will be used. Disabling the older protocols just means that your website will work with less existing software for no real reason.

    • (Score: 2) by Opportunist on Friday July 17 2020, @10:25AM

      by Opportunist (5545) on Friday July 17 2020, @10:25AM (#1022823)

      This is true until I sit in between you and the server and tell both of you to use an insecure version because I pretend that the other side doesn't support better security.

      Downgrade attacks [wikipedia.org] are a thing, ya know?

    • (Score: 0) by Anonymous Coward on Friday July 17 2020, @11:17AM

      by Anonymous Coward on Friday July 17 2020, @11:17AM (#1022843)

      For practically all websites disabling TLS 1.0 and/or 1.1 on the server side is a pretty silly thing to do. The protocol has version negotiation (and the browser people have fixed their silly problems in this regard) so if you and the client support higher versions that will be used. Disabling the older protocols just means that your website will work with less existing software for no real reason.

      I hope your clients read this. Because they should fire you.

      TLS 1.0/1.1 have multiple exploitable and exploited vulnerabilities:
      https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/ [acunetix.com]

      Yes, web browsers will negotiate the protocol level, and that's an attack vector [wikipedia.org]. By negotiating protocol and/or cipher "downgrade," miscreants can exploit the known vulnerabilities.

      Which is why it's not only important to require a sane (TLS 1.2 or greater) transport, it's also important to disable weak ciphers (many of which are enabled by default on many web servers).

      So, no. TLS 1.0/1.1 need to terminated with extreme prejudice. I know, I know, TLS 1.2 is far too new to put into production. After all, the RFC was only just published twelve years ago.

      You're talking nonsense. But go ahead and run whatever you want. But if you really believe the bullshit you spewed, you might want to educate yourself.

      I won't hold my breath.