What is TLS/SSL? Ingrid Transport-Layer Security (TLS) is a widely used method of securing communications over the Internet that uses a combination of certificates and keys to encrypt information. TLS is the successor to SSL and is the current industry standard. Since some companies and systems on the Internet still use Secure Socket Layer (SSL), we refer to the related risk vectors as “TLS/SSL Certificates” and “TLS/SSL Configurations.” Bitsight data providers make TLS/SSL connections with servers and collect the certificate chain during the session negotiation process. Notes TLS has undergone several revisions to improve security, block known attacks, and add support for new cryptographic algorithms. Many TLS implementations (software libraries that support all the standardized features of the TLS security protocol) do not support backwards compatibility with SSL due to design-level vulnerabilities like POODLE (SSL version 3). It is important to understand and assess whether the implementation of TLS installed on your company servers support SSL fallback, as that may pose a security risk (adversaries can use POODLE or other SSL-oriented attacks), as well as whether your servers only support strong cipher suites that are resistant to attack on an industry-approved level. Resources GitHub, “SSL and TLS Deployment Best Practices,” Section 1.3 NCSC, “Factsheet Certificates with 1024 bit RSA are being phased-out” Thawte, “Moving To A 2048-Bit Certificate” GlobalSign, “The Dangers of Self-Signed SSL Certificates” Rapid7, “Self-signed TLS/SSL certificate” Synopsis, Inc., “Heartbleed” August 20, 2020: TLS 1.0 and 1.1 deprecated. May 9, 2019: TLS 1.0 and 1.1 deprecation. Related articles TLS/SSL Finding Remediation & Remediation Verification TLS/SSL Configurations Risk Vector TLS/SSL Certificates Risk Vector Certificate Authorities TLS/SSL Configuration Findings Feedback 0 comments Please sign in to leave a comment.