An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered secure anymore. Make sure that your web server offers only recent and strong protocol versions.
Deprecated SSL Protocol Versions Security Assessment
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Deprecated SSL Protocol Versions Vulnerability Information
An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered secure anymore. Make sure that your web server only offers recent and strong protocol versions.
In their latest cheat sheet for Transport Layer Security (TLS), the OWASP guide recommends the following setting:
- The SSL protocols have a large number of weaknesses, and should not be used in any circumstances.
- General-purpose web applications should only support TLS 1.2 and TLS 1.3, with all other protocols disabled.
A short history on SSL and TLS
SSL versions 2 and 3
Secure Socket Layer (SSL) was the original protocol used to provide encryption for HTTP traffic in the form of HTTPS. There were two publicly released versions of SSL – versions 2 and 3. Unfortunately, both have serious cryptographic weaknesses and should no longer be used.
TLS version 1.0 to 1.3 (SSL version 3.1 to 3.4)
For various reasons, the next version of the protocol (effectively SSL 3.1) was named Transport Layer Security (TLS) version 1.0. Subsequently, TLS versions 1.1, 1.2, and 1.3 have been released.
The terms “SSL,” “SSL/TLS,” and “TLS” are frequently used interchangeably, and in many cases, “SSL” is used when referring to the more modern TLS protocol.
How to Disable Deprecated SSL Protocol Versions
To disable the deprecated SSL/TLS protocol versions, please refer to Secure TLS Configuration.
Why are Security Protocols Important?
The reason why you should care about TLS is simple: it protects data in transit from eavesdropping, tampering, or message modification. This means that if a hacker wants to steal information from you, they will have to intercept the traffic between your computer and the website you’re trying to access. They won’t be able to get any of the data on its own because it’s encrypted, but they can try to impersonate the site owner and trick you into giving them sensitive information.
How Does TLS Work?
To protect data in transit, TLS uses asymmetric cryptography. In this scenario, two keys are used; one key is public and the other private. When you send a request to a website, you use the public key to encrypt the connection so that only the intended recipient can decrypt it. If someone else tries to intercept the communication, they’ll see gibberish instead of the original content.
When using HTTPS, the browser first connects with the server over an unencrypted HTTP session.
What is the difference between TLS 1.0 and TLS 1.2?
SSL/TLS provides three different levels of security: SSL 3.0, TLS 1.0, and TLS 1.1. All three provide some level of protection against eavesdroppers, but TLS 1.2 has been designed specifically to address the weaknesses found in older versions.
Why do I need to enable encryption?
If you don’t want anyone to snoop on your communications, you must make sure that all connections to websites are secured. Otherwise, hackers could easily intercept your requests and read your and your client’s personal information.