News

NSA Gives Advice on Reducing TLS Security Risk

• By Kurt Mackie
• 01/08/2021

Organizations that want to detect and block the old and insecure Transport Layer Security (TLS) protocol can draw on some new advice from the U.S. National Security Agency.

Currently at version 1.3, TLS is used to secure client and server traffic during Internet connections. However, organizations may be using older versions that aren't secure, opening up traffic to "passive decryption" methods and "man-in-the-middle" attacks where information can get modified in transit, the NSA advisory (PDF download) noted.

The NSA is advising organizations to immediately block the use of TLS 1.0, as well as its predecessors, Secure Sockets Layer (SSL) 2.0 and 3.0. It also is recommending blocking TLS 1.1 and moving to TLS 1.2 or 1.3 "as soon as possible."

However, if an organization is using TLS 1.2, then they will still need to check if they are using "obsolete cipher suites." Organizations should immediately block the use of the NULL, RC2, RC4, DES, IDEA and TDES/3DES cipher suites, the advisory indicated.

If those obsolete cipher suites can't be blocked, then organizations should check to see if they are using an "obsolete key exchange" method. The advisory recommended immediately blocking ANON and EXPORT key exchange methods, as well as others, which were listed in a table.

The advisory pointed to an available NSA GitHub repository of signatures that can be used by network monitoring tools to detect the use of obsolete TLS by clients and servers. Servers using obsolete TLS should be upgraded or configured to use the newer TLS versions. Clients should be upgraded so that they are using "the most current browser or TLS library."

The NSA's advice is mostly for U.S. defense and national security entities, but other organizations should consider carrying out its detection and remediation steps.

"Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors," the advisory indicated.

What's new, apparently, in the NSA's advice is that the security issue extends beyond just TLS. IT pros need to check for the use of obsolete cipher suites with TLS 1.2, for instance, and they need to check for the use of obsolete key exchange methods.