Update Your Server's TLS

22/06/2021

Everyone wants to browse the web safely. To that end, virtually all web servers use TLS (Transport Layer Security) to encrypt communication with clients. However, older versions of the protocol use insecure encryption techniques and may be weaker protocols, in general. The US NSA has issued guidelines for web administrators to update their servers.

It would be wonderful if all websites had been updated in January 2021 when the guidelines were issued. Unfortunately, there are still sites that have not been updated. This can be due to many factors:

Some sites are seen as "set and forget": they were deployed, they provide the needed service and they are sort of forgotten by their owners. It happens a lot in real life.

There is no money for updates. Server updates take time for the actual updates and testing, and there may be no room in the budget to address a security issue potentially seen as an unlikely risk.

The "if it ain't broke don't fix it" attitude. After all, as I noted above, it will likely cost money. This attitude is a big issue because it is broken, there is a risk, and the updates need to be done.

To address the time issue, the NSA guidelines linked above have guidance for both government and private administrators. For instance, they list specific obsolete encryption protocols that should be disabled. Administrators don't need to guess what might be necessary. They also made available specific detection and mitigation tools at https://github.com/nsacyber/Mitigating-Obsolete-TLS.

While the operation of updated websites will need to be tested to ensure they function correctly, the guidelines recommend tools to ensure the TLS updates were successful. One tool they suggest is https://www.ssllabs.com/ssltest. I have used that tool myself and recommend it. (As usual, neither Learning Tree International nor I can recommend the hoster of the tool nor their products.) When I updated a site and used ssltest to verify my fixes worked, I discovered another issue that had been evading resolution for a long time!

source nsa.gov infographic

Here is a section of the guidelines. I am quoting it directly.

Obsolete TLS provides a false sense of security

Organizations encrypt network traffic to protect data in transit. However, using obsolete TLS configurations provides a false sense of security since it looks like the data is protected, even though it really is not. Make a plan to weed out obsolete TLS configurations in the environment by detecting, remediating, and then blocking obsolete TLS versions, cipher suites, and finally key exchange methods. Prepare for cryptographic agility to always stay ahead of malicious actors' abilities and protect important information.

For both public and private organizations, protecting information confidentiality and integrity is crucial to the organization's overall cyber security. Making these updates is crucial. We discuss these and other issues in Learning Tree Course 468 System and Network Security Introduction.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.