Skip to content

Outdated SSL/TLS Protocols Supported

Outdated SSL/TLS Protocols Supported

Description

This vulnerability indicates that the server supports one or more outdated SSL/TLS protocols. These protocols have known security vulnerabilities and are considered insecure for modern use.

Outdated protocols may include: - SSLv2 - SSLv3 - TLSv1.0 - TLSv1.1

These protocols have various weaknesses that can be exploited by attackers, potentially leading to:

  1. Man-in-the-Middle (MitM) attacks
  2. Decryption of encrypted communications
  3. Data integrity compromises
  4. Downgrade attacks forcing the use of weaker protocols

Example Scenario: An attacker could exploit the POODLE vulnerability in SSLv3 to decrypt sensitive information transmitted over an encrypted connection. This could lead to the exposure of login credentials, session tokens, or other confidential data.

Supporting these outdated protocols also violates various security standards and best practices, potentially impacting compliance with regulations such as PCI DSS.

Recommendation

To mitigate the risks associated with outdated SSL/TLS protocols, consider the following recommendations:

  1. Disable Outdated Protocols:
  2. Disable support for SSLv2, SSLv3, TLSv1.0, and TLSv1.1 on all servers and applications.

  3. Enable only TLSv1.2 and TLSv1.3, which are currently considered secure.

  4. Update SSL/TLS Libraries:

  5. Ensure all SSL/TLS libraries and implementations are up-to-date with the latest security patches.

  6. Consider using modern TLS libraries that have secure defaults and are actively maintained.

  7. Configure Strong Cipher Suites:

  8. Use strong cipher suites that support Perfect Forward Secrecy (PFS).

  9. Disable weak ciphers and hash functions (e.g., RC4, MD5, SHA1).

  10. Implement Secure TLS Configuration:

  11. Follow industry best practices for TLS configuration, such as those provided by Mozilla's SSL Configuration Generator or OWASP's TLS Cheat Sheet.

  12. Regularly test your TLS configuration using tools like SSL Labs' SSL Server Test.

  13. Use HTTP Strict Transport Security (HSTS):

  14. Implement HSTS to ensure that clients always connect to your server using HTTPS, preventing downgrade attacks.

  15. Consider TLS 1.3:

  16. If possible, enable support for TLS 1.3, which offers improved security and performance over TLS 1.2.

Standards

  • SOC2_CONTROLS:
    • CC_6_7
    • CC_7_1
  • CCPA:
    • CCPA_1798_150
  • GDPR:
    • ART_32
  • PCI_STANDARDS:
    • REQ_2_3
    • REQ_4_1
    • REQ_6_5