NSA Issues Guidance on Replacing Obsolete TLS Versions
The National Security Agency (NSA) this week issued guidance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security (TLS) protocol.
TLS and Secure Sockets Layer (SSL) were designed to ensure the security and privacy of communication channels between clients and servers through encryption and authentication.
The protocols encrypt data in traffic, but older versions of these protocols have proven insecure, weakening data protection. Furthermore, new attacks against them have been discovered, further proving their inefficiency.
While older versions of the security protocols, namely SSL, TLS 1.0, and TLS1.1, have been deprecated in many existing online services and applications, there still are systems that rely on these insecure protocols, thus exposing entire networks.
“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS1.1 not be used,” the agency says.
In the newly released guidance, the NSA provides details on how network administrators and security analysts can identify and eliminate obsolete TLS configurations in their environments, including protocol versions, cipher suites, and key exchange methods.
“This will also help organizations prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information. Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not,” the NSA notes.
The first step, the agency notes, is to detect obsolete TLS configurations still in use in US government systems, through identifying clients and servers using older TLS versions and devices using obsolete cipher suites and/or weak key exchange methods.
As remediation steps, admins should configure monitoring devices to alert and/or block weak TLS traffic. However, a phased approach to detecting and fixing clients is recommended, to minimize impact.
“By using the guidance, government network owners can make informed decisions to enhance their cybersecurity posture. Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors,” the NSA notes.