Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday July 16 2020, @08:10PM   Printer-friendly

The TLS 1.2 Deadline is Looming, Do You Have Your Act Together?:

In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2[*] is going smoothly and where it is meeting resistance.

Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.

[...] Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.

While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.

[*] The latest version of TLS (Transport Layer Security) is 1.3; see RFC 8446.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by hendrikboom on Friday July 17 2020, @03:18AM (16 children)

    by hendrikboom (1125) Subscriber Badge on Friday July 17 2020, @03:18AM (#1022728) Homepage Journal

    I just use http on my server. No certificate issues.

    -- hendrik

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by Opportunist on Friday July 17 2020, @10:27AM (13 children)

    by Opportunist (5545) on Friday July 17 2020, @10:27AM (#1022825)

    How do I make sure I talk to your server and not some imposter?

    • (Score: 2) by coolgopher on Friday July 17 2020, @10:39AM (8 children)

      by coolgopher (1157) on Friday July 17 2020, @10:39AM (#1022828)

      How do you make sure you talk to the right https server and not some imposter injected by your ISP via DNS and route hijacking?

      • (Score: 0) by Anonymous Coward on Friday July 17 2020, @11:19AM (4 children)

        by Anonymous Coward on Friday July 17 2020, @11:19AM (#1022844)

        RFC 1149 [ietf.org] FTW!

        • (Score: 2) by hendrikboom on Friday July 17 2020, @11:29AM (2 children)

          by hendrikboom (1125) Subscriber Badge on Friday July 17 2020, @11:29AM (#1022851) Homepage Journal

          I see. The pigeons know. And a pigeon hunter isn't likely to pick up enough packets to form a meaningful message?

          • (Score: 0) by Anonymous Coward on Saturday July 18 2020, @06:17AM (1 child)

            by Anonymous Coward on Saturday July 18 2020, @06:17AM (#1023273)

            And a pigeon hunter isn't likely to pick up enough packets to form a meaningful message?

            That's why it's necessary to use strong encryption with large keys. ;)

            • (Score: 0) by Anonymous Coward on Monday July 20 2020, @01:42PM

              by Anonymous Coward on Monday July 20 2020, @01:42PM (#1024099)

              Large keys?

              We talking a good 20g here, 100g, or some half kilogram whopper from the medieval ages?

        • (Score: 3, Insightful) by coolgopher on Friday July 17 2020, @11:32AM

          by coolgopher (1157) on Friday July 17 2020, @11:32AM (#1022852)

          And here I was expecting a link to RFC3514 [ietf.org] instead.

      • (Score: 2) by hendrikboom on Friday July 17 2020, @11:27AM

        by hendrikboom (1125) Subscriber Badge on Friday July 17 2020, @11:27AM (#1022848) Homepage Journal

        Because my browser does do https.

      • (Score: 2) by Opportunist on Friday July 17 2020, @12:32PM (1 child)

        by Opportunist (5545) on Friday July 17 2020, @12:32PM (#1022869)

        By checking whether the certificate matches the page. As long as you didn't somehow manage to inject your certificates into my browser store, it's pretty trivial to verify whether the certificate presented belongs to the server.

        • (Score: 2) by coolgopher on Monday July 20 2020, @01:05AM

          by coolgopher (1157) on Monday July 20 2020, @01:05AM (#1023891)

          Yeah fair point, it does take quite a bit more effort to pervert the initial set of top level certificates. Then again, time and time again we find about CAs that have been handing out certs willy-nilly >.<

    • (Score: 2) by hendrikboom on Friday July 17 2020, @11:26AM (3 children)

      by hendrikboom (1125) Subscriber Badge on Friday July 17 2020, @11:26AM (#1022847) Homepage Journal

      You don't. Nor does my server care who you are.

      • (Score: 2) by Opportunist on Friday July 17 2020, @12:34PM (1 child)

        by Opportunist (5545) on Friday July 17 2020, @12:34PM (#1022870)

        Ok, then I hope I'll never have to talk to your server, because I'd really love to know whether the person (or server) I'm talking to is actually who they claim to be.

        I mean, you (hopefully...) don't respond to calls like "hi, this is your IT department, we'd need your username and password to figure out a problem we have with it..."

        • (Score: 2) by hendrikboom on Friday July 17 2020, @04:38PM

          by hendrikboom (1125) Subscriber Badge on Friday July 17 2020, @04:38PM (#1022952) Homepage Journal

          I mean, you (hopefully...) don't respond to calls like "hi, this is your IT department, we'd need your username and password to figure out a problem we have with it..."

          No. I don't.

          -- hendrik

      • (Score: 0) by Anonymous Coward on Friday July 17 2020, @05:10PM

        by Anonymous Coward on Friday July 17 2020, @05:10PM (#1022966)

        lahu zahur!

  • (Score: 2) by leon_the_cat on Saturday July 18 2020, @05:44AM (1 child)

    by leon_the_cat (10052) on Saturday July 18 2020, @05:44AM (#1023267) Journal

    you have a real sexy server