Everyone wants to browse the web safely. To that end, virtually all web servers use TLS (Transport Layer Security) to encrypt communication with clients. However, older versions of the protocol use insecure encryption techniques and may be weaker protocols, in general. The US NSA has issued guidelines for web administrators to update their servers.
It would be wonderful if all websites had been updated in January 2021 when the guidelines were issued. Unfortunately, there are still sites that have not been updated. This can be due to many factors:
To address the time issue, the NSA guidelines linked above have guidance for both government and private administrators. For instance, they list specific obsolete encryption protocols that should be disabled. Administrators don’t need to guess what might be necessary. They also made available specific detection and mitigation tools at https://github.com/nsacyber/Mitigating-Obsolete-TLS.
While the operation of updated websites will need to be tested to ensure they function correctly, the guidelines recommend tools to ensure the TLS updates were successful. One tool they suggest is https://www.ssllabs.com/ssltest. I have used that tool myself and recommend it. (As usual, neither Learning Tree International nor I can recommend the hoster of the tool nor their products.) When I updated a site and used ssltest to verify my fixes worked, I discovered another issue that had been evading resolution for a long time!
Here is a section of the guidelines. I am quoting it directly.
Obsolete TLS provides a false sense of security
Organizations encrypt network traffic to protect data in transit. However, using obsolete TLS configurations provides a false sense of security since it looks like the data is protected, even though it really is not. Make a plan to weed out obsolete TLS configurations in the environment by detecting, remediating, and then blocking obsolete TLS versions, cipher suites, and finally key exchange methods. Prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information.
For both public and private organizations, protecting information confidentiality and integrity is crucial to the organization’s overall cyber security. Making these updates is crucial. We discuss these and other issues in Learning Tree Course 468 System and Network Security Introduction.