U.S. National Security Agency Offers Advice on Blocking Obsolete TLS
The U.S. National Security Agency this month published an advisory (PDF download) on detecting and blocking old and insecure Transport Layer Security (TLS) protocol use by organizations.
TLS, currently at version 1.3, is used to secure client and server traffic during Internet connections. However, organizations may be using older versions that aren't secure, opening up traffic to "passive decryption" methods and "man-in-the-middle" attacks where information can get modified in transit, the NSA advisory noted.
The NSA is advising organizations to immediately block the use of TLS 1.0, as well as its predecessors, Secure Sockets Layer (SSL) 2.0 and 3.0. It also is recommending blocking TLS 1.1 and moving to TLS 1.2 or 1.3 "as soon as possible."
However, if an organization is using TLS 1.2, then they will still need to check if they are using "obsolete cipher suites." Organizations should immediately block the use of the NULL, RC2, RC4, DES, IDEA and TDES/3DES cipher suites, the advisory indicated.
If those obsolete cipher suites can't be blocked, then organizations should check to see if they are using an "obsolete key exchange" method. The advisory recommended immediately blocking ANON and EXPORT key exchange methods, as well as others, which were listed in a table.
The advisory pointed to an available NSA GitHub repository of signatures that can be used by network monitoring tools to detect the use of obsolete TLS by clients and servers. Servers using obsolete TLS should be upgraded or configured to use the newer TLS versions. Clients should be upgraded so that they are using "the most current browser or TLS library."
The NSA's advice is mostly for U.S. defense and national security entities, but other organizations should consider carrying out its detection and remediation steps.
"Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors," the advisory indicated.
What's new, apparently, in the NSA's advice is that the security issue extends beyond just TLS. IT pros need to check for the use of obsolete cipher suites with TLS 1.2, for instance, and they need to check for the use of obsolete key exchange methods.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.