Well-known cybersecurity agencies in the United States and the Netherlands issued recommendations against the use of obsolete TLS protocols that put the networks and users at risk.
In early January, the NSA, the main cybersecurity agency in the US, issued an advisory that recommended with great emphasis to stop the use of obsolete TLS and SSL protocols. In the security advisory, federal agencies are urged to prevent the use of these protocols and inadequate configurations.
The NSA argued that “Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.” According to the document, only TLS 1.2 and TLS 1.3 should be used. On the other hand, agencies must stop and prevent the use of TLS 1.0, TLS 1.1, SSL 2.0, and SSL 3.0.
A couple of weeks later, the National Cyber Security Center in the Netherlands published a statement urging public agencies and private organizations to migrate their systems to TLS 1.3.
Better But Not Perfect
While both cybersecurity agencies are urging both public and private organizations to move to TLS 1.3, the recommendations made clear that these newer protocols aren’t failproof.
The NSA recommends pairing TLS 1.2 and TLS 1.3 protocols with strong, reliable cryptographic parameters and cipher suites. It remains a very serious problem to use modern protocols with weak encryption methods, creating liabilities where they shouldn’t be.
In the security advisory, we can read that “especially weak encryption algorithms in TLS 1.2 are designated as NULL, RC2, RC4, DES, IDEA, and TDES/3DES; cipher suites using these algorithms should not be used.”
To provide some additional help, the NSA also publicly shared a selection of tools for system administrators, with the goal of helping them navigate their networks and identify those systems using obsolete protocols.
The informative piece includes context on how attacks against TLS are continually developing to be more effective against organizations, emphasizing the importance of using the latest protocols to manage that risk.
Web Browsers Leading the Change
These cybersecurity recommendations coming from official sources aren’t the only signs of a fast-paced transition towards more effective TSL protocols.
In 2020, we saw how major web browsers decided to stop supporting websites using TLS 1.0 and TLS 1.1. The reason? Considerable security issues. This decision has effectively forced millions of websites to do the change to a more secure configuration.
These actions, accompanied by a common message from leading authorities in cybersecurity, should be enough to convince both public and private organizations to move towards and implement safer protocols and configurations.