TLS 1.3 and Major TLS Libraries Vulnerable

TLS 1.3 and Major TLS Libraries Vulnerable

Downgrade Attack on TLS 1.3

Several CVEs have been released related to breaking or downgrading TLS streams, including the newest version – TLS 1.3.

The abridged version is that researchers have found ways to break TLS RSA key exchanges and downgrade TLS 1.3 to 1.2. These issues exist in most major TLS libraries including OpenSSL and Amazon s2n.

For now, remediation consists of either supporting only TLS 1.3, so no downgrade attacks are possible, or using elliptic-curve algorithm variants over RSA.

Using TLS 1.3 only is typically not something major applications can do since legacy clients would be unsupported. However, using all elliptic-curve cryptography when setting up TLS doesn’t cause any backward compatibility issues.

Remediation: TLS Libraries Vulnerable

Facebook account takeover may seem like trivial problem to an enterprise organization, however, this may be the first step in a social engineer’s ploy to gain access to a corporate network.

Employees who use social media accounts as marketing or support tools should be extra cautious after news of this breach.

Attackers may take over accounts and pose as clients or employees to entice those controlling corporate accounts to divulge information or open malicious documents. (Read more about phishing attacks here.)

These types of scenarios should be incorporated into user awareness training. Do not trust anyone online simply based on who they purport to be.

Download our guide, “Evolving with Cybercriminals: How to Respond to Social Engineering Techniques,” to learn how to protect your organization against cybercriminals.

How to Respond to Social Engineering Techniques

As cybercriminals evolve their tactics in social engineering, we too must evolve our procedures in response and prevention. Learn more about social engineering trends and discover how to protect your organization against cybercriminals. Learn More →

Social Engineering

Download the Guide →