Hi All,
NSA just published Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations.
Additional guidance for detecting obsolete TLS traffic, including network signatures, links to helpful tools, and
sample configurations is available at
https://github.com/nsacyber/Mitigating-Obsolete-TLS. The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that
utilize strong encryption and authentication to protect all sensitive information. Over time, new attacks against Transport
Layer Security (TLS) and the algorithms it uses have been discovered. Network connections employing obsolete protocols
are at an elevated risk of exploitation by adversaries.
Sensitive and valuable data requires strong protections within electronic systems and transmissions. TLS and Secure
Sockets Layer (SSL) was developed as the protocol to create private, secure channels between a server and client using
encryption and authentication. While the standards and most products have been updated, implementations often have
not kept up.
The accompanying, full-length guidance helps network administrators and security analysts make a plan on how to weed
out obsolete TLS configurations in the environment by detecting, prioritizing, remediating, and then blocking obsolete TLS
versions, cipher suites, and finally key exchange methods. This will also help organizations prepare for cryptographic
agility to always stay ahead of malicious actors' abilities and protect important information.
Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected,
even though it really is not. The NSA previously released urgent guidance indicating obsolete and otherwise weak TLS
protocol implementations were being observed, and threat intelligence stating that "nation-state and sufficiently resourced
actors are able to exploit these weak communications." However, obsolete TLS configurations are still in use in U.S.
Government systems. Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of
techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------