Snort Blog: Requiring at least TLS 1.2 for Snort.org

["Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>]

https://blog.snort.org/2018/04/requiring-at-least-tls-12-for-snortorg.html

Requiring at least TLS 1.2 for Snort.org<http://Snort.org>
Later this month, (currently planning) around April 25th, we will be forcing everyone who visits 
Snort.org<http://Snort.org>, either via API (oinkcode) or the website to at least negotiate at TLS version 1.2 or 1.3.

Today we do not enforce this restriction, but as we move more and more things here at Snort / Talos / ClamAV to a more 
secure environment, we want to make sure everyone is doing so, at the best possible encryption level.

We already enforce HTTPS for every connection to any host on the snort.org<http://snort.org> domain (to include 
blog.snort.org<https://blog.snort.org/> starting this week, in case you didn't notice), and all HTTP connections are 
now redirected to HTTPS.  This change hasn't had any negative impact (as far as we can tell), as only 7% of connections 
in the past month to the snort.org<http://snort.org> domain were over HTTP.

What we are concerned about, are very old installations of Snort boxes out there that haven't been updated in some time 
(we know they exist), not being able to connect to Snort.org<http://Snort.org> anymore.

We are assuming the majority of these to be blocked already, as they are attempting to download version "2.4.4" of the 
ruleset for example.

However, In an abundance of caution, and to isolate any issues that this may have, I figured I'd write this blog post 
just in case.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!