Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server

Severity	Exploitability	Providers	Categories
HIGH	HIGH	AWS	NETWORK

Description

Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attack. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.

Allowing such policies can allow attacker to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	True	False

• Data, credential leak.
• Man-in-the-middle attacks.

Remediation guidelines

• Use the default security policy on the load balancer TLS listeners (AWS recommendation).
• If you need to specify a specific security policy, do not use TLS 1.0 or 1.1.

Note that this implies that the clients connecting to your endpoint must support TLS version 1.2 or above.

References

• TLS listeners for your Network Load Balancer (AWS doc)
• Deprecating TLS 1.0 and TLS 1.1 (IETF RFC 8996)
• Why It’s Dangerous to Use Outdated TLS Security Protocols (blog post)
• AWS Load balancer listener policy (terraform)

Was this page helpful?