NSA Issues Guidance on Replacing Obsolete TLS Versions
upstart writes in with an IRC submission:
NSA Issues Guidance on Replacing Obsolete TLS Versions:
The National Security Agency (NSA) this week issued guidance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security (TLS) protocol.
TLS and Secure Sockets Layer (SSL) were designed to ensure the security and privacy of communication channels between clients and servers through encryption and authentication.
The protocols encrypt data in traffic, but older versions of these protocols have proven insecure, weakening data protection. Furthermore, new attacks against them have been discovered, further proving their inefficiency.
[...] "NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS1.1 not be used," the agency says.
[...] "This will also help organizations prepare for cryptographic agility to always stay ahead of malicious actors' abilities and protect important information. Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not," the NSA notes.
(Emphasis retained from original.)
Read more of this story at SoylentNews.