Category Archives: 2021

NSA releases urgent Guidance (ORN U/OO/800922-17), thus urge to public that not to use obsolete TLS configurations (6th Jan,2020)

Preface: However, obsolete TLS configurations are still in use in U.S. Government systems. Perhaps it is being change. According to the Office of Management and Budget (OMB) memorandum M-15-13 all public accessible federal websites and web services are require to only provide through secure connections.

Synopsis: The Internet Engineering Task Force (IETF) published TLS 1.3 in August 2018. TLS 1.2, the version it replaced, was standardized a decade previous, in 2008. Attached diagram shown the examples of TLS Vulnerabilities and Attacks.

Consequent: Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected.
Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption.

Recommendation: NSA recommends that only TLS 1.2 or 1.3 be used. As a result, SSL 2.0,3.0,TLS 1.1 not be used anymore.If additional interoperability support is need, configurations should use non-deprecated options from NIST SP 800-52r2 as necessary.

Official announcement (NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations): https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF