Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday July 16 2020, @08:10PM   Printer-friendly

The TLS 1.2 Deadline is Looming, Do You Have Your Act Together?:

In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2[*] is going smoothly and where it is meeting resistance.

Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.

[...] Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.

While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.

[*] The latest version of TLS (Transport Layer Security) is 1.3; see RFC 8446.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by Zinnia Zirconium on Saturday July 18 2020, @04:47AM

    by Zinnia Zirconium (11163) on Saturday July 18 2020, @04:47AM (#1023252) Homepage Journal

    Welllllll actually this might be a compelling reason to consider encryption just to stop shhtty ISPs from unhelpfully rewriting my shht.

    Maybe I'll think about thinking about Lets Encrust. First I gotta convince Lets Encrust shirtbot to spit out just a certificate without trying to unhelpfully reconfigure my servers. Second I gotta prove I control my servers but I insist on running nonstandard web servers and one of my HTTP servers is a bash script I wrote myself. It doesn't serve files at all but I guess I could add a few lines to my bash server to generate a response proving to Lets Encrust that I control it. And then third my actual HTTPS server would be socat or something that I can configure entirely with command line options.

    Yeahhhhhh maybe I should. As soon as I start caring. Sometime between now or never.