usd HeroLab Top 5 Vulnerabilities 2020: Transport Layer Security (TLS) 1.0

16. July 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 4: TLS 1.0

Vulnerability Background

The TLS protocol is often used for authentication and encryption of network connections. TLS is a protocol that lies between TCP and the application and presentation layer protocols. The authenticity of the contacted server is guaranteed by a certificate and the connection between client and server is encrypted.

TLS is probably one of the most widely used encryption protocols for network communications. The encryption of the transmitted data is separated from the actual application layer protocol, so that application programmers do not have to deal with the encryption layer. Only the configuration of TLS still requires manual setting and thus provides a lot of potential for vulnerabilities. Many systems still use the outdated version TLSv1.0, which has no longer been recognized as sufficiently secure by the PCI Council since 2016.

Exemplary hacker attack and its consequences

Vulnerabilities at the TLS level can often only be exploited under laboratory conditions [1]. The reason why this vulnerability category has nevertheless made it into our list is its outstanding frequency in which TLSv1.0 was identified in tested systems. A clear sign that vulnerabilities at the TLS level are still not taken seriously.

Recommended measures

TLSv1.0 is an outdated version of the TLS protocol with known vulnerabilities. Although concrete exploitation is difficult, there is still a security risk. In particular, PCI-relevant systems must no longer support TLSv1.0 in order to meet compliance guidelines.

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.


[1] In our mini-series, we do not get into cryptographic details.


Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

PCI DSS v4.0: INFI Worksheet Discontinued

PCI DSS v4.0: INFI Worksheet Discontinued

The Payment Card Industry Security Standards Council (PCI SSC) announced it is discontinuing the Items Noted for Improvement (INFI) Worksheet. INFI, a template for documenting items for improvement, had been introduced with PCI DSS v4.0. Effective immediately, QSAs...

The Surprising Complexity of Finding Known Vulnerabilities

The Surprising Complexity of Finding Known Vulnerabilities

IT security professionals need an efficient and reliable solution for identifying known vulnerabilities in a software product, given its name and version. Our colleagues at usd HeroLab place high demands on such a solution. They evaluated several available solutions...

Categories

Categories