NSA Urges System Administrators To Replace Obsolete TLS Protocols (zdnet.com) 62
The US National Security Agency has issued a security advisory this month urging system administrators in federal agencies and beyond to stop using old and obsolete TLS protocols. From a report: "NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used," the agency said. "Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not," the agency added. Even if TLS 1.2 and TLS 1.3 are deployed, the NSA warns against configuring these two protocols with weak cryptographic parameters and cipher suites.
Oh, now you're starting it... (Score:2)
Um, SSL was SOL on Day 1. NSA is saying these things are insecure, but we need a new protocol in order to make things secure, it's too late to save the teams behind these fake security efforts. Anybody got some new ideas?
Re: (Score:1)
Not true, each SSL version includes a choice of protocols, some secure and some not. You can choose or make certificate trust stores yourself too. No need for "new protocols".
Re:Oh, now you're starting it... (Score:5, Insightful)
The SSL and TLS protocol vulnerabilities which have led to new versions are not brute force. They are primarily padding oracle issues.
For brute force you just adjust the key size, which is two steps removed from the TLS protocol version. You use the TLS protocol to choose the cipher and key exchange algorithm, such as AES and Diffie-Hellman. Once you've decided to use AES and DH, you choose a key size for AES and a key size for DH.
So the brute-force resistance (key size) is related to the TLS protocol version in the same way that the temperature of your coffee is related to the kind of car you drive. Your coffee is in your mug, your mug is in your car, but coffee temperature and car manufacturer really aren't related.
Been there, done that (Score:2)
Re: (Score:2)
SSLProtocol disable a, b, c, d
SSLProtocol enable TLSv1.2
Rather I would do this to eliminate all possible downwards-negotiations
SSLProtocol -all +TLSv1.2 +TLSv1.3
Re: Been there, done that (Score:3)
That is still way too broad.
I'm forcing Poly1305+ChaCha20+Curve25519 and everything else can kiss my ass. (It gets a "Your $client is defective and lets terrorists put child porn on your computer" error message.)
Re: (Score:2)
Re: (Score:3)
You're not specifying the ciphers at all, though. Many ciphers are not a good idea to use, even with TLS 1.2.
Re: (Score:2)
Re: (Score:2)
bad news for you, TLSv1.2 allows a whole host of choices of protocols and some of those are insecure. You need to redo things correctly.
Take a look at the bottom part of this article, the pink boxes for key exchange and cipher suites you want to configure out.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
See
https://ssl-config.mozilla.org... [mozilla.org]
for secure server configuration
Re: (Score:2)
Re: (Score:1)
bad idea, most the world's business and commerce sites are at TLSv1.2
Re: (Score:2)
Exactly. Heck, due to a rash of TLS1.3 related bugs in the F5's I'm actually MORE secure running TLS1.2 with strong ciphers for now and waiting till their code matures.
Re: (Score:2)
Re: (Score:2)
But what about all of the slashdot people the other day saying "If the NSA recommends it I'll do the opposite." Does that mean reverting to older SSL schemes hehe
Re: (Score:2)
I'm surprised that people are still using anything less than TLSv1.2 on anything that even remotely matters. Those protocols and ciphers have been shown to be weak for years.
What TLS 1.2+ for Windows 98? (Score:3)
One long-time valued user of a forum I moderate (not banking) is keeping a Windows 98 PC running, as he considers anything newer an unnecessary purchase. What web browser supporting TLS 1.2 or TLS 1.3 runs on Windows 98?
Re: (Score:2)
Re: (Score:2)
Sorry, I'm a professional and I'm not keeping my customers' data at risk in order to enable some singular shitheel that thinks software doesn't have vulnerabilities found in the last 23 years, or that computational power now exists to enable attacks that would have been impossible 23 years ago (GPU hashing and comparison, for example). Some of us have to undergo regular security audits and penetration tests, and we like to pass them - especially if we are doing business with financial institutions and the
Avpr Gel AFN! (Score:2, Funny)
Lbh'yy arire pbaivapr zr gb nonaqba EBG-13. Vg'f gur bayl rapelcgvba cebgbpby V xabj lbh unira'g vasvygengrq!
Re: (Score:2)
Lbhe fpber vf ng zvahf bar orpnhfr gurl fgvyy unir abg oebxra lbhe rapelcgvba lrg naq pnaabg frr jung lbh jebgr.
Re: Avpr Gel AFN! (Score:2)
ATD&IÄIÄL3+VCHANT Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn+++Z
Re: (Score:2)
this might help (Score:5, Informative)
Easy way to test your site security settings:
https://www.ssllabs.com/ssltes... [ssllabs.com]
Re: (Score:1)
best practice (Score:2)
This best practice guide [hynek.me] published by Hynek Schlawack is helpful.
I am currently running the following:
ciphers=ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:RSA+AESGCM:!aNULL:!MD5:!DSS
For https, I also step up to secp384r1. For non-https applications (primarily NFS), I step up to secp521r1.
Re: (Score:1)
Re: (Score:2)
They support TLS1.2 just fine, we have our clients pinned to 1.2/1.3 with a selection of strong ciphers and we haven't had any issues. In fact Google says over half of their traffic is TLS1.3. I have no idea how the grading algorithm is interacting with Google to get a result indicating 1.0/1.1 but they've actually talked about turning those off completely.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
No worries. (Score:4, Funny)
I'm only using PGP enhanced with the most modern encryption schemes, and banned all root certificates but my own from my system. Because I assume evryone is the NSA and I do not want to talk to any humans anyway. /dev/null for my own amusement.
I'm typing this here into
Re: (Score:2)
Re: No worries. (Score:2)
Go tell me with a straight face, that you're posting here to experience the love, respect and opinions of Slashdotters . . .
You people will never understand us! /dev/null is always gonna love me!
Modern browsers already require 1.2 (Score:2)
Re: (Score:2)
Re: (Score:2)
> But admins insisting on using IE8 on Windows 7 still persist even now. Microsoft is to blame by making migration painful.
Maybe for inventing the MCSE, but MS kicked that old shit to the curb a year ago, without even cab fare.
Because the NSA is hardened ... (Score:3)
... and has a perfect record in thwarting data breaches and ... .. Oh wait [nytimes.com].
Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core
A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.
Re: (Score:3)
This. Add in deliberately corrupting best practices documents to weaken security making anything they suggest suspect. Add to that multiple violations of their own charter against domestic spying.
At this point, they have violated the trust of the people so many times there can be no recovery. If we want a trustworthy organization to improve homeland security we'll need to scrap the NSA in it's entirety and start over.None or the current leadership can be included in the replacement.
Re: (Score:2)
This.
And, we have the walk-offs like Snowden, Manning, Winner ... throughout the cyber-organizations that issue all of us advice about best practices.
Seen it come and go... (Score:2)
I can still remember when TLS was this shiny new thing which would solve the problem of bad actors on the internet.
Well, some standards don't last forever, I guess.
Re: (Score:2)
This principle still holds. It's just older versions and older ciphers being recommended against. Not transport-level security with a SSL / TLS-like approach.
Then, of course, additional security is also needed in many cases. Any TLS scheme allow a man in the middle to see who you are talking to, if you are not using Tor (and that protocol also has some traffic analysis risks). And you may leak the hostnames you are looking for, either to you DNS server provider and anyone listening to the net in between, or
Re: (Score:2)
Security always has two problems: the first is that of designing secure protocols. The second is the implementation problem, where details of the implementation could leak keys, message bits, etc...
Either failure could create a breach, but the second is usually more fixable than the first. Heartbleed, for example, was caused by a builder optimizing out important implementation-specific details. However, there were some rather embarrassing protocol errors in early versions of the public key infrastruct
Re: (Score:1)
"Any TLS scheme allow a man in the middle to see who you are talking to [...]"
I see this a lot.
The key mistake is that people conflate "you" and "your device". They are not the same thing. At all.
Yes, SNI, and the cert in TLS 1.2, allow anyone on the path to see who your device is talking to. Beginning with yourself.
Conversely, encrypting SNI and the cert prevents "anyone" (that is to say, anyone who can't force the keys out of the other side, which is no one I'm concerned about) on the path to see who your
Re: (Score:2)
Sure. SNI (and the certs) is additional detail if it's not hidden. From good causes (like reverse engineering) and less good causes. I was however mostly thinking about IP addresses, which transport layer cryptography for obvious reasons can't help against disclosing to an observer on the network.
Agility Objective (Score:2)
What interests/concerns me is that we still see products being released today that include encryption of one sort or another but for which the ability to make a rapid, efficient alteration of any one of
NGINX Docs (Score:2)
Here's the relevant NGINX documentation for all you running it: http://nginx.org/en/docs/http/... [nginx.org]
And how to use it: http://nginx.org/en/docs/http/... [nginx.org]
If only Microsoft had TLS 1.3 updates (Score:1)
How about we fix x509 certificates (Score:3)
ASN1 is the language that x509 certs are written in. Think of it as TLVs (Type length values) nested and on steroids. The attack occurs because if the lengths of nested components don't added up to the length of their parent different parsers will parse differently. Almost no parsers actually throw an error and due to being required to handle very long components and variable length components it is hard to actually write a general parser that is secure. I bet less than 10 people have hand coded ASN1 in the last 20 years so very few people still remember that ASN1 is a terrible choice for something used for security.
China blocks TLS1.3+ESNI (Score:2)
Which many will consider a bonus of going to TLS1.3, but if you want visibility in China, remember to keep ESNI off. I’m waiting to see how long it takes before a western government tries to ban such traffic ... because of terrorists and children.
Was expecting to see comments here about (Score:2)
Dunno where to ask this but here seems good (Score:2)
I have a Samsung S3 mini phone from 2012, thing won't connect to anything higher than TLS 1.1. Stopped working last year after a certificate expired. I put in a new certificate that the cell company recommended, which worked for about a month, then it stopped working again. I can go to that mozilla test page and load TLS 1.0, and 1.1, but not anything later. Any ideas?
SSL, and TLS 1.0? (Score:2)
Before I retired, a year and a half ago, at my last job - I was a federal contractor, civilian sector - we'd gotten rid of *everything* under SSL 3 and TLS 1.2 years before.
Anyone that hasn't needs to look toward the door.