Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security IT Technology

NSA Urges System Administrators To Replace Obsolete TLS Protocols (zdnet.com) 62

Posted by msmash from the PSA dept.
The US National Security Agency has issued a security advisory this month urging system administrators in federal agencies and beyond to stop using old and obsolete TLS protocols. From a report: "NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used," the agency said. "Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not," the agency added. Even if TLS 1.2 and TLS 1.3 are deployed, the NSA warns against configuring these two protocols with weak cryptographic parameters and cipher suites.
This discussion has been archived. No new comments can be posted.

NSA Urges System Administrators To Replace Obsolete TLS Protocols More

NSA Urges System Administrators To Replace Obsolete TLS Protocols

Comments Filter:

  • Um, SSL was SOL on Day 1. NSA is saying these things are insecure, but we need a new protocol in order to make things secure, it's too late to save the teams behind these fake security efforts. Anybody got some new ideas?

    • Not true, each SSL version includes a choice of protocols, some secure and some not. You can choose or make certificate trust stores yourself too. No need for "new protocols".

  • Dont know about you guys but all my external facing are running on TLSv1.2, some 1.3. This was one of our top priority.
    • And when I do it... I wont use
      SSLProtocol disable a, b, c, d
      SSLProtocol enable TLSv1.2

      Rather I would do this to eliminate all possible downwards-negotiations
      SSLProtocol -all +TLSv1.2 +TLSv1.3

      • That is still way too broad.

        I'm forcing Poly1305+ChaCha20+Curve25519 and everything else can kiss my ass. (It gets a "Your $client is defective and lets terrorists put child porn on your computer" error message.)

        • The "-all" eliminates every possible protocols including all TLS version, then the 2 plus signs re-instate the wanted items. It's not a broad configuration in my opinion. In fact I think it's the most comprehensive possible.

    • bad news for you, TLSv1.2 allows a whole host of choices of protocols and some of those are insecure. You need to redo things correctly.

      Take a look at the bottom part of this article, the pink boxes for key exchange and cipher suites you want to configure out.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • But what about all of the slashdot people the other day saying "If the NSA recommends it I'll do the opposite." Does that mean reverting to older SSL schemes hehe

    • I'm surprised that people are still using anything less than TLSv1.2 on anything that even remotely matters. Those protocols and ciphers have been shown to be weak for years.

      • One long-time valued user of a forum I moderate (not banking) is keeping a Windows 98 PC running, as he considers anything newer an unnecessary purchase. What web browser supporting TLS 1.2 or TLS 1.3 runs on Windows 98?

        • Any browser running on a recent Linux / *BSD distribution. You would probably have a bit trouble to find one that still supports the hardware, but still running Windows 98 is either meant to be a honeypot, or meant to be used off-line only, or asking for trouble.

        • Sorry, I'm a professional and I'm not keeping my customers' data at risk in order to enable some singular shitheel that thinks software doesn't have vulnerabilities found in the last 23 years, or that computational power now exists to enable attacks that would have been impossible 23 years ago (GPU hashing and comparison, for example). Some of us have to undergo regular security audits and penetration tests, and we like to pass them - especially if we are doing business with financial institutions and the

  • Lbh'yy arire pbaivapr zr gb nonaqba EBG-13. Vg'f gur bayl rapelcgvba cebgbpby V xabj lbh unira'g vasvygengrq!

    • Re: (Score:2)

      by Anonymous Coward

      Lbhe fpber vf ng zvahf bar orpnhfr gurl fgvyy unir abg oebxra lbhe rapelcgvba lrg naq pnaabg frr jung lbh jebgr.

    • ATD&IÄIÄL3+VCHANT Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn+++Z

    • Re: (Score:2)

      by jmccue ( 834797 )
      VJNL hfrjnl vtcnl(6) vcrqcnl vagbjnl bgenl13(6), vprgjnl rgunl bgrpgvbacenl

  • this might help (Score:5, Informative)

    by lactose99 ( 71132 ) on Thursday January 21, 2021 @02:57PM (#60974798)

    Easy way to test your site security settings:

    https://www.ssllabs.com/ssltes... [ssllabs.com]

    • And https://www.hardenize.com/ [hardenize.com]

    • This best practice guide [hynek.me] published by Hynek Schlawack is helpful.

      I am currently running the following:

      ciphers=ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:RSA+AESGCM:!aNULL:!MD5:!DSS

      For https, I also step up to secp384r1. For non-https applications (primarily NFS), I step up to secp521r1.

    • Comment removed based on user account deletion

      • Re: (Score:2)

        by afidel ( 530433 )

        They support TLS1.2 just fine, we have our clients pinned to 1.2/1.3 with a selection of strong ciphers and we haven't had any issues. In fact Google says over half of their traffic is TLS1.3. I have no idea how the grading algorithm is interacting with Google to get a result indicating 1.0/1.1 but they've actually talked about turning those off completely.

        • Comment removed based on user account deletion
        • It means that server is configured to allow ancient protocols in addition to new stuff. This tends to create situations where a MITM can force the downgrade in security so your conversation is now TLS 1.0 instead of 1.3, possibly without you knowing. There can also be other mitigations in place, but if memory serves, anything from the last decade should be 1.2 compatible.
          • That's what the TLS_FALLBACK_SCSV [ietf.org] "cipher" is supposed to solve. If a client has asked to downgrade the TLS version, the server will include that canary with the list of supported ciphers. If the client sees that but did not ask to downgrade, the connection is assumed compromised and immediately terminated. Of course, this does require both client and server support. It's been in all of the OpenSSL derivatives for quite some time, though I believe it's still missing from Microsoft's SChannel stack.

  • No worries. (Score:4, Funny)

    by BAReFO0t ( 6240524 ) on Thursday January 21, 2021 @03:04PM (#60974830)

    I'm only using PGP enhanced with the most modern encryption schemes, and banned all root certificates but my own from my system. Because I assume evryone is the NSA and I do not want to talk to any humans anyway.
    I'm typing this here into /dev/null for my own amusement.

  • But admins insisting on using IE8 on Windows 7 still persist even now. Microsoft is to blame by making migration painful.
    • Excellent. Explain how Microsoft makes it painful - when new browsers and OS have been available for decades, and updates are pushed hard (some say too hard, well, this is the outcome if you don't push)? It's generally shitty apps, not the OS.

    • > But admins insisting on using IE8 on Windows 7 still persist even now. Microsoft is to blame by making migration painful.

      Maybe for inventing the MCSE, but MS kicked that old shit to the curb a year ago, without even cab fare.

  • Because the NSA is hardened ... (Score:3)

    by CaptainDork ( 3678879 ) on Thursday January 21, 2021 @03:24PM (#60974944)

    ... and has a perfect record in thwarting data breaches and ... .. Oh wait [nytimes.com].

    Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

    A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

    • Re: (Score:3)

      by sjames ( 1099 )

      This. Add in deliberately corrupting best practices documents to weaken security making anything they suggest suspect. Add to that multiple violations of their own charter against domestic spying.

      At this point, they have violated the trust of the people so many times there can be no recovery. If we want a trustworthy organization to improve homeland security we'll need to scrap the NSA in it's entirety and start over.None or the current leadership can be included in the replacement.

      • This.

        And, we have the walk-offs like Snowden, Manning, Winner ... throughout the cyber-organizations that issue all of us advice about best practices.

  • I can still remember when TLS was this shiny new thing which would solve the problem of bad actors on the internet.

    Well, some standards don't last forever, I guess.

    • Re: (Score:2)

      by pereric ( 528017 )

      This principle still holds. It's just older versions and older ciphers being recommended against. Not transport-level security with a SSL / TLS-like approach.

      Then, of course, additional security is also needed in many cases. Any TLS scheme allow a man in the middle to see who you are talking to, if you are not using Tor (and that protocol also has some traffic analysis risks). And you may leak the hostnames you are looking for, either to you DNS server provider and anyone listening to the net in between, or

      • Security always has two problems: the first is that of designing secure protocols. The second is the implementation problem, where details of the implementation could leak keys, message bits, etc...

        Either failure could create a breach, but the second is usually more fixable than the first. Heartbleed, for example, was caused by a builder optimizing out important implementation-specific details. However, there were some rather embarrassing protocol errors in early versions of the public key infrastruct

      • "Any TLS scheme allow a man in the middle to see who you are talking to [...]"

        I see this a lot.

        The key mistake is that people conflate "you" and "your device". They are not the same thing. At all.

        Yes, SNI, and the cert in TLS 1.2, allow anyone on the path to see who your device is talking to. Beginning with yourself.
        Conversely, encrypting SNI and the cert prevents "anyone" (that is to say, anyone who can't force the keys out of the other side, which is no one I'm concerned about) on the path to see who your

        • Re: (Score:2)

          by pereric ( 528017 )

          Sure. SNI (and the certs) is additional detail if it's not hidden. From good causes (like reverse engineering) and less good causes. I was however mostly thinking about IP addresses, which transport layer cryptography for obvious reasons can't help against disclosing to an observer on the network.
           

  • Given that it's now 2021 and that we've been living with threats and vulnerabilities in crypto for literally decades [I suspect it might go back to the Caesar Cipher [ghostvolt.com], or thereabouts, but don't know for sure], this request from the NSA should not only be "no big deal" but also "no surprise" to *any* of us.

    What interests/concerns me is that we still see products being released today that include encryption of one sort or another but for which the ability to make a rapid, efficient alteration of any one of

  • Here's the relevant NGINX documentation for all you running it: http://nginx.org/en/docs/http/... [nginx.org]

    And how to use it: http://nginx.org/en/docs/http/... [nginx.org]

  • If only Microsoft had TLS 1.3 updates (Score:1)

    by Anonymous Coward
    Most versions of Windows Server still in use can't get TLS v1.3 via Microsoft Updates.

  • How about we fix x509 certificates (Score:3)

    by FeelGood314 ( 2516288 ) on Thursday January 21, 2021 @08:22PM (#60976252)
    Because different ASN1 parsers will parse the certs differently if they are malformed. Meaning if I lie about the lengths of the components of in the x509 cert I can get a CA to sign a cert the CA thinks I'm entitled to but which will be interpreted differently when I then present the signed cert to a different TLS client.

    ASN1 is the language that x509 certs are written in. Think of it as TLVs (Type length values) nested and on steroids. The attack occurs because if the lengths of nested components don't added up to the length of their parent different parsers will parse differently. Almost no parsers actually throw an error and due to being required to handle very long components and variable length components it is hard to actually write a general parser that is secure. I bet less than 10 people have hand coded ASN1 in the last 20 years so very few people still remember that ASN1 is a terrible choice for something used for security.

  • Which many will consider a bonus of going to TLS1.3, but if you want visibility in China, remember to keep ESNI off. I’m waiting to see how long it takes before a western government tries to ban such traffic ... because of terrorists and children.

  • how if NSA is recommending NOT to use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1, that there must be something about them that they cannot hack.

  • I have a Samsung S3 mini phone from 2012, thing won't connect to anything higher than TLS 1.1. Stopped working last year after a certificate expired. I put in a new certificate that the cell company recommended, which worked for about a month, then it stopped working again. I can go to that mozilla test page and load TLS 1.0, and 1.1, but not anything later. Any ideas?

  • Before I retired, a year and a half ago, at my last job - I was a federal contractor, civilian sector - we'd gotten rid of *everything* under SSL 3 and TLS 1.2 years before.

    Anyone that hasn't needs to look toward the door.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close