Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server

Severity	Exploitability	Providers	Categories
HIGH	HIGH	Google Cloud Provider	NETWORK

Description

Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attack. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.

Allowing such policies can allow attacker to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	True	False

Data, credential leak.
Man-in-the-middle attacks.

Remediation guidelines

Set the minimum TLS version to Version 1.2.

Note that this implies that the clients connecting to your endpoint must support TLS version 1.2 or above.

References

Configure the minimum TLS version for a storage account
Deprecating TLS 1.0 and TLS 1.1 (IETF RFC 8996)
Why It’s Dangerous to Use Outdated TLS Security Protocols (blog post)

Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server

Description

Impact

Remediation guidelines

References

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server

Description​

Impact​

Remediation guidelines​

References​

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Subscribe to our newsletter

Description

Impact

Remediation guidelines

References