Episode 333 - TLS 1.0 Deprecation

by Evan Basalik June 8, 2020

Candace Jackson, a Senior PM in the Azure Security team, give us an update on the effort to remove the use of TLS 1.0 from applications in Azure.

 

Media file:

 https://azpodcast.blob.core.windows.net/episodes/Episode333.mp3

Resources:

links:
https://www.microsoft.com/en-us/download/details.aspx?id=55266
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls


Connection logging - This help identify what cipher suites and protocols are negotiated during a successful handshake

IIS
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

Nginx
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
https://serverfault.com/questions/620123/how-can-i-let-nginx-log-the-used-ssl-tls-protocol-and-ciphersuite

Apache -
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats

 Some resource specific documenation that shows how to configure protocol and cipher suite usage
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#disable-tls-10-and-tls-11
Blog: https://blogs.msdn.microsoft.com/appserviceteam/2018/04/17/app-service-and-functions-hosted-apps-can-now-update-tls-versions/
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-1112
https://docs.microsoft.com/en-us/azure/cloud-services/applications-dont-support-tls-1-2

 

Other updates:

Live Video Analytics now in public preview
Updated: June 01, 2020
Live Video Analytics (LVA) on IoT Edge is now in public preview. It is a platform to capture, record, and analyze live video and publish the results (video and/or video analytics), for you to build intelligent video applications. You can use LVA for a number of use cases across industries such as retail, healthcare, and transportation. You can bring any custom AI by plugging in video analysis edge modules, whether they are Cognitive Services containers, custom edge modules built with open source machine learning models, or custom models trained with a customer’s own data. You can also combine video analysis with other business data to make smarter business decisions.
LVA integrates with a number of Azure services (in the cloud and/or the edge), such as Stream Analytics on IoT Edge, Cognitive Services on IoT Edge, Media Services, Event Hub, and Cognitive Services.

From <https://azure.microsoft.com/en-us/updates/live-video-analytics-now-in-public-preview/>

 

 
 
 NOW AVAILABLE
CNI security vulnerability in older AKS clusters and mitigation steps
Updated: June 01, 2020
A security vulnerability has been identified in the container networking implementation (CNI) in CNI plugin versions v0.8.6 and older that may affect older AKS clusters.
Details
An AKS cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle (MitM) attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.
This vulnerability has been given an initial severity of Medium with a score of 6.0.
Vulnerability analysis and verification
All AKS clusters created or upgraded with a Node Image Version later or equal than “2019.04.24” are not vulnerable, as they set net.ipv6.conf.all.accept_ra to 0 and enforce TLS with proper certificate validation.
Clusters created or last upgraded before that date are susceptible to this vulnerability.
You can verify if your current Node Image is vulnerable by running: https://aka.ms/aks/MitM-check-20200601  on a machine that has CLI access to the cluster’s nodes.
Windows nodes are not affected by this vulnerability.

From <https://azure.microsoft.com/en-us/updates/cni-security-vulnerability-in-older-aks-clusters-and-mitigation-steps/>

From //build 2020 - Azure SQL Edge (preview)
https://azure.microsoft.com/en-us/services/sql-edge/


Deploy to Azure using GitHub Actions from your favorite tools
https://azure.microsoft.com/en-us/blog/deploy-to-azure-using-github-actions-from-your-favorite-tools/

 

Keywords:

Filed Under: Podcast

Announcements

Now on Spotify! Simply search for Azure Podcast and you will find it (may need to scroll down a bit). 

Podcast Clients

You can find us on iTunes, XBOX Music, Windows Phone podcast app and in most Podcast clients on Android. Or simply use the RSS feed link above and plug it into your Podcast client.

 

Flyer

Love this podcast? Use this flyer to socialize it with your community.

Calendar

<<  October 2020  >>
MoTuWeThFrSaSu
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678

View posts in large calendar

Tag cloud