" tls Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘tls’

TLS 1.0 to 1.2 and NIST TLS Cipher Updates: Email Program and Web Browser Compatibility Issues

Friday, January 10th, 2020

 

It happens at least every few years: system administrators need to update the security configuration of their servers to keep up with the latest best practices and to close newly found security issues(i.e., via changes to recommended TLS ciphers and protocols).  These updates can be rocky. Change often introduces incompatibilities that prevent certain systems or programs from being able to connect to the updated systems.

(Article updated for January 10th, 2020).

TLS Encryption Compatibility

In this article we are going to look at what email program an web browser incompatibilities arise when you migrate from using the “old standard:” TLS v1.0+ and the ciphers recommend by NIST 800-52r1 to using either TLS v1.0+ and the new NIST 800-52r2 ciphers or TLS v1.2+ and the new NIST 800-52r2 ciphers.

Why?

  1. PCI required that servers that need to be PCI complaint use only TLS v1.1+ (which really means v1.2+) by the end of June, 2018.
  2. NIST 800-52r2 updated its recommended cipher list and remove many ciphers from revision 1 that are now considered “weak” and introduced a number of new, better ciphers.  Administrators should be using NIST 800-52r2 cipher support as a best practice.
  3. Organizations that require HIPAA compliance should also follow the NIST guidelines and prepare NIST 800-52r2 support and, where possible, support TLS v1.3 and eventually eliminate pre-TLS 1.2 support. See: What level of TLS is required for HIPAA compliance?

Read the rest of this post »

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) anfd which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.

Read the rest of this post »

How Can You Tell if an Email Was Transmitted Using TLS Encryption?

Tuesday, October 29th, 2019

Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the internet.  For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.

Email should always be transmitted with this basic level of email encryption ensure that the email message content cannot be eavesdropped upon.  This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To see how to analyze a message for its transmission security, we will look at an example email message sent from Hotmail to LuxSci, and see that Hotmail did not use TLS when sending this message.  Hotmail is not a good provider to use when security or privacy are required.

Read the rest of this post »

Update: LuxSci upgrading all Systems to support only TLS v1.2+ only

Monday, June 17th, 2019

LuxSci has pushed back the general date of the transition to TLS 1.2 only support to January 1st, 2020.  This matches the timeline set my most browser vendors and others for abandoning the old versions of TLS and gives existing customers more time to upgrade their systems.  However, new dedicated LuxSci customers will be placed on servers that support only TLS 1.2+ starting this week.  The rolling update window is now January 1st through January 31st, 2020.

That said, LuxSci will still be transitioning to requiring TLS 1.2+ support for email transmission (“Forced TLS”) during the July-August, 2019 window.

Additionally, any dedicated customer that would like to transition to TLS 1.2+ sooner, may do so at any time my asking LuxSci support.

See the original blog post: LuxSci to upgrade all Systems to support only TLS v1.2+ only

LuxSci to upgrade all Systems to support only TLS v1.2+ only

Monday, April 8th, 2019

Update 6/17/2019: LuxSci has pushed back the general date of the transition to TLS 1.2 only support to January 1st, 2020.  This matches the timeline set my most browser vendors and others for abandoning the old versions of TLS.  However, new dedicated LuxSci customers will be placed on servers that support only TLS 1.2+ starting this week.  The rolling update window is now January 1st through January 31st, 2020.

That said, LuxSci will still be transitioning to requiring TLS 1.2+ support for email transmission (“Forced TLS”) during the July-August, 2019 window.

Additionally, any dedicated customer that would like to transition to TLS 1.2+ sooner, may do so at any time my asking LuxSci support.

LuxSci will be removing the remaining support for TLS v1.0 and TLS v1.1 from its services starting July 1st, 2019. This update will be a rolling change to all servers that will take place between July 1st and August 31st, 2019.

TLS v1.0 and TLS v1.1 are very old transport security protocols that have been succeeded by the much more secure TLS v1.2, which came out way back in 2008. All major web browsers released in the last 6+ years support TLS 1.2. Older web browsers may or may not support it (check your browser); however, less than 1% of web traffic across the world actually use the older protocols

Read the rest of this post »

LUXSCI