The National Security Agency (NSA) warns of outdated encryption protocols such as TLS 1.0 (Transport Layer Security) and recommends the use of more up-to-date procedures to protect data traffic on the Internet more effectively. With their tips, they are aimed primarily at government organizations and companies.

If web admins do not care, attackers could in some cases be called Man -in-the-middle with comparatively little effort break the encryption and thus, for example, copy passwords and other personal data. This is particularly dangerous if it happens on a banking website, for example.

NSA encryption tips The TLS standard encrypts the Traffic when visiting websites (HTTPS). In addition, TLS is the most important standard for authentication on the Internet. In a paper, the NSA lists, among other things, what it considers to be obsolete procedures SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. TLS 1.0 has been in use for over 20 years and relies on the hash procedures MD5 and SHA-1, which have long been considered unsafe.

Admins should use the encryption protocols TLS 1.2 or TLS 1.3, which are currently considered secure. In the course of this, it is best to completely deactivate insecure procedures, otherwise attackers could abuse websites with downgrade attacks such as Freak.

In addition, insecure encryption algorithms such as RC4 or DES should never be used. It is also important to use secure key exchange methods such as Diffie Hellman on elliptic curves (ECDH).

Chrome, Firefox & Co. have already abandoned TLS 1.0 / 1.1 for web browsers. The Internet Engineering Task Force (IETF) has been working on a ban on old TLS versions since 2018.

Further tips In the paper, the NSA gives further information on secure TLS configurations and how admins can track down obsolete TLS procedures in their own network.

(of)