" tls v1.2 Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘tls v1.2’

What Level of SSL or TLS is Required for HIPAA Compliance?

Saturday, June 2nd, 2018

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, protocol versions supported (e.g., 1.0, 1.1, or 1.2) anf which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.  

Read the rest of this post »

Do you expect email carriers to require TLS v1.2 or better in the future?

Friday, July 28th, 2017

Our latest “Ask Erik” question involves the future of TLS delivery:.

Hello Erik,

I am aware of an e-mail server of a Carrier refuses any TLS connections that are not using TLS v1.2. Is it reasonable to expect more Carriers to follow this tact in the future?

Thank you.

This question involves the use of “TLS” to transparently encrypt email communications between email servers over the SMTP protocol.  For a little background, see: “All about secure email delivery over TLS“.

Read the rest of this post »

Is SSL/TLS Really Broken by the BEAST attack? What is the Real Story? What Should I Do?

Wednesday, September 21st, 2011

Update – January, 2015.  SSL v3 should be turned off.  RC4 is now weak and should not be used anymore, even as a work around to the BEAST attack.  LuxSci recommends to use TLS v1.1+ and NIST-recommended ciphers.  The BEAST is not really considered a significant vector (even with TLS v1.0) compared to other things, anymore.

Update – April, 2012. openssl v1.0.1 is out and it supports TLS v1.1 and v1.2 which help mitigate this attack.  All web sites hosted by LuxSci now use this updated software and are safe from BEAST.  LuxSci recommends using a web host which supports TLS v1.1 and v1.2 for secure web connections.

—-

SSL v3 and TLS v1 are subject to a serious exploit, according to a recently published attack mechanism (called BEAST).  This sounds foundation-shattering and kind of scary. When people see this, as when we did, the first panicky questions that arise are:

  • What is really affected?
  • How serious is it?
  • What can I do to protect myself?
  • How does the BEAST attack actually work?

After researching this issue, we have digested what we have found and produced this article to answer all of these questions for you.

Read the rest of this post »