Transport-Layer Security (TLS) is a widely used method of securing communications over the Internet that uses a combination of certificates and keys to encrypt information. TLS is the successor to SSL and is the current industry standard.
Since some companies and systems on the Internet still use Secure Socket Layer (SSL), we refer to the related risk vectors as “TLS/SSL Certificates” and “TLS/SSL Configurations.”
Bitsight data providers make TLS/SSL connections with servers and collect the certificate chain during the session negotiation process.
Notes
- TLS has undergone several revisions to improve security, block known attacks, and add support for new cryptographic algorithms.
- Many TLS implementations (software libraries that support all the standardized features of the TLS security protocol) do not support backwards compatibility with SSL due to design-level vulnerabilities like POODLE (SSL version 3).
- It is important to understand and assess whether the implementation of TLS installed on your company servers support SSL fallback, as that may pose a security risk (adversaries can use POODLE or other SSL-oriented attacks), as well as whether your servers only support strong cipher suites that are resistant to attack on an industry-approved level.
Resources
- GitHub, “SSL and TLS Deployment Best Practices,” Section 1.3
- NCSC, “Factsheet Certificates with 1024 bit RSA are being phased-out”
- Thawte, “Moving To A 2048-Bit Certificate”
- GlobalSign, “The Dangers of Self-Signed SSL Certificates”
- Rapid7, “Self-signed TLS/SSL certificate”
- Synopsis, Inc., “Heartbleed”
- August 20, 2020: TLS 1.0 and 1.1 deprecated.
- May 9, 2019: TLS 1.0 and 1.1 deprecation.
Feedback
0 comments
Please sign in to leave a comment.