RIP TLS 1.0 and 1.1

While we are still at the onset of 2021 let’s make sure disabling of deprecated security protocol is on the top of our new year’s resolutions list. If you’ve already done it, you can focus on losing those extra pounds…

Why should you care?

First, the problem with insecure TLS protocols is so real and serious that the National Security Agency (NSA) has released a guide for eliminating obsolete Transport Layer Security configurations along with recommended TLS configurations, and remediation recommendations for the public. Here’s the link to the 6-pager guide.

Secondly, if TLS 1.0 and 1.1 are still enabled on your network, it will very likely throw red flags and cause compliance issues for cybersecurity insurance carriers.

Thirdly, the reasons for not allowing old TLS protocols are very much valid and worthy today. If you still do not know why, comply, and just disable those protocols. Period.

Here are several tools that will help you get where you need to be.

Free

Nartac IIS Crypto is a free tool  https://www.nartac.com/Products/IISCrypto

Qualys free tool https://www.ssllabs.com/ssltest/

Free browser check https://www.ssllabs.com/index.html

Guide for Windows servers https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

Paid

Tenable Nessus, paid for with free trial https://www.tenable.com/products

Rapid7 Nexpose, paid for with 30-day trial https://www.rapid7.com/products/nexpose/

It is strongly recommended that vulnerability scans against perimeter and internal networks are performed regularly by cyber security vendor.

Disable SSL v2, v3, TLS v1.0, 1.1 and enforce TLS 1.2 and TLS 1.3 only. Plus implement only strong ciphers and algorithms.

To recap, make certain all your users and vendors are using TLS 1.2, 1.3 and their ciphers correlate with supported ciphers or it may hinder communication and/or cause blocking of all access inadvertently.