Modern TLS compatibility

OWASP 2013-A5 OWASP 2017-A3 OWASP PC-C10 WSTG-CRYP-01 PCI v3.2- CAPEC-217 CWE-311 HIPAA-311 ISO27001-A.14.1.3 WASC-4

The TLS protocol is used to provide privacy and data integrity between two or more communicating computer applications. When secured by TLS, connections between a client and a server have one or more of the following properties:-

  • The connection is private
  • The identity of parties can be authenticated
  • The connection is reliable

Transportation layer came from Secure Socket Layer. A careful configuration of TLS will provide additional privacy-related properties like forwarding secrecy, prevent discloser of encryption keys etc. For services that don’t need backward compatibility, modern TLS will provide a higher level of security. Modern configuration is compatible with Firefox 27, Chrome 30, Android 5.0, IE 11 on Windows 7, Edge, Opera 17, Safari 9, and Java 8.

Impact

The impact include:-

  • Renegotiation attack
  • Downgrade attacks like Logjam and FREAK
  • Cross-platform attacks like DROWN
  • BEAST attack
  • Breach attacks
  • POODLE attacks

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Changing to a new cipher suite for clients using the newer versions of the web browser.

Latest Articles