usd HeroLab Top 5 Vulnerabilities 2020: Transport Layer Security (TLS) 1.0

16. July 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 4: TLS 1.0

Vulnerability Background

The TLS protocol is often used for authentication and encryption of network connections. TLS is a protocol that lies between TCP and the application and presentation layer protocols. The authenticity of the contacted server is guaranteed by a certificate and the connection between client and server is encrypted.

TLS is probably one of the most widely used encryption protocols for network communications. The encryption of the transmitted data is separated from the actual application layer protocol, so that application programmers do not have to deal with the encryption layer. Only the configuration of TLS still requires manual setting and thus provides a lot of potential for vulnerabilities. Many systems still use the outdated version TLSv1.0, which has no longer been recognized as sufficiently secure by the PCI Council since 2016.

Exemplary hacker attack and its consequences

Vulnerabilities at the TLS level can often only be exploited under laboratory conditions [1]. The reason why this vulnerability category has nevertheless made it into our list is its outstanding frequency in which TLSv1.0 was identified in tested systems. A clear sign that vulnerabilities at the TLS level are still not taken seriously.

Recommended measures

TLSv1.0 is an outdated version of the TLS protocol with known vulnerabilities. Although concrete exploitation is difficult, there is still a security risk. In particular, PCI-relevant systems must no longer support TLSv1.0 in order to meet compliance guidelines.

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.


[1] In our mini-series, we do not get into cryptographic details.


Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories