Load Balancers Must Require TLS 1.2
Enforce the Use of TLS 1.2
To protect data in transit, you must ensure that all ELBs that accept secure web traffic require, at a minimum, TLS 1.2 connections. Of course, the latest version of TLS is going to change over time as the next version comes out. Right now, our latest version is TLS version 1.3, so the minimum version you should be supporting is version 1.2. Older versions of TLS or legacy SSL protocols are all known to have fatal security flaws and do not provide protection for data in transit.
Transcription
When we’re talking about encryption of data in transit - over open public networks, over the internet, over wireless networks, etc. – we’re usually talking about use of the TLS protocol, Transport Layer Security protocol. The minimum version we should be supporting in our applications, anymore, is version 1.2. Of course, that’s going to change over time as the next version comes out. Right now, our latest version is TLS version 1.3. Sometime in the future, when they come out with the TLS 1.4 we’ll start deprecating 1.2. But, right now, we should be supporting, in our web applications, our elastic load balancers, and any point where we can configure it, we really should be using TLS version 1.2 or TLS version 1.3. Older versions of TLS, TLS version 1.0 as well as all versions of SSL, the older legacy SSL protocol, they have all been demonstrated to have fatal security flaws. They do not provide any form of protection against left of data in transit. There is a little bit of a gray area around TLS version 1.1. It can be configured to use only secure protocols. It can be configured to remove some of the same flaws that were fatal to TLS 1.0. But, with the advent, now, of TLS version 1.3 starting to get more widespread acceptance in our web servers, in our various elements of our application stacks, we should be supporting TLS version 1.2 and TLS version 1.3. All of those older versions – we should be starting to remove them out of support in our applications.