Halo Security

TLSv1.0 should be disabled across the board for a few reasons: 1. TLSv1.0 in any form is now a PCI DSS <a href="https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls" rel="nofollow noopener noreferrer" target="_blank">must-fail item</a>, regardless of any individual ciphers given grade by a third party service.

2. POODLE attacks, <a href="https://us-cert.cisa.gov/ncas/alerts/TA14-290A" rel="nofollow noopener noreferrer" target="_blank">per CISA</a>:

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Some Transport Layer Security (TLS) implementations are also vulnerable to the POODLE attack.

3. ROBOT attacks, <a href="https://robotattack.org/" rel="nofollow noopener noreferrer" target="_blank">per The ROBOT Attack</a>:

For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it.

For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.

Additionally, the TLSv1.0 RSA ciphers do NOT support forward secrecy.

TLSv1.0

Docs

Website

Account

Contact Us

Find answers and get help from Intercom Support and Community Experts

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Title

Track the progress of all tickets related to your company.

Tickets portal.

{assigneeName} needs more information from you