The National Security Agency (NSA) of USA issued a statement security [PDF] this month urging system administrators in federal services and beyond to stop using outdated TLS protocols.
"The NSA recommends using only TLS 1.2 or TLS 1.3 and not using SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1," the agency said.
"Using outdated encryption provides a false sense of security, because it seems that sensitive data is protected, even though it is not really so."
Even though the service recommends TLS 1.2 and TLS 1.3, the NSA warns you not to configure these two protocols with weak cryptographic parameters.
“The particularly weak encryption algorithms in TLS 1.2 are defined as NULL, RC2, RC4, DES, IDEA, and TDES/3DES. The cryptographic suites that use these algorithms they should not be used", the service continues.
"TLS 1.3 removes these encryption suites, but implementations that support both TLS 1.3 and TLS 1.2 should be checked for obsolete encryption suites."
The U.S. Department of Homeland Security has released a list of tools on her GitHub profile to help system administrators detect systems on their internal networks that still use outdated TLS protocols
The NSA statement, released on January 5, was repeated yesterday by its counterpart in the Netherlands, the National Cyber Security Center in the Netherlands.
In a similar alert [PDF], the Dutch NCSC also recommends to all Dutch government agencies and private companies to move to TLS 1.3.
In the middle of 2020, the major browsers they stopped supporting TLS 1.0 and TLS 1.1, citing security reasons. In March 2020, the company security researcher Netcraft reported that about 850.000 websites were still using TLS 1.0 and TLS 1.1 to encrypt traffic with HTTPS, a number that has been slowly declining since then.
