One of the most important ways to keep your data well encrypted is to periodically replace older encryption standards with newer encryption standards. Pretty much every cipher and cryptographic implementation is at its most secure when it starts deployment and gets progressively less secure over time. The processing power of computing clusters for cipher cracking get more powerful. Security researchers and cyber attackers alike discover implementation vulnerabilities and they become public knowledge. Cracking tools and scripts for both cyber attackers and security testers become more numerous and effective. Everyone who works with cryptography knows that every cipher and implementation has a “best before date,” it’s just a matter of whether that date is months from now or years from now.
Twenty years is a very long time for a cryptographic implementation. TLS 1.0 will be twenty years old soon because it was first deployed in January 1999. According to Payment Card Industry (PCI), TLS 1.0’s “best before date” was June 30th, 2018. Now any ecommerce site or brick-and-mortar retailer which uses TLS 1.0 to encrypt credit card transactions will fail PCI compliance. PCI will not support TLS 1.0 use and retailers have to use TLS 1.1, 1.2, or 1.3 in order to accept credit card payments.
According to Microsoft, Apple, Google, and Mozilla, TLS 1.0’s “best before date” is March 2020. Microsoft Edge, Safari, Chrome, and Firefox will no longer support TLS 1.0 soon and users of those web browsers will be notified that they cannot use it if they try to start an HTTPs session which uses the deprecated TLS version.
TLS 1.1 was released in April 2006. It only had minor improvements from TLS 1.0, including some security measures against cipher-block chaining attacks. Well Microsoft, Apple, Google, and Mozilla will no longer support TLS 1.1 in their web browsers as of March 2020 either.
Martin Thomson wrote for Mozilla’s blog:
“In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1.
On the Internet, 20 years is an eternity. TLS 1.0 will be 20 years old in January 2019. In that time, TLS has protected billions – and probably trillions – of connections from eavesdropping and attack.
In that time, we have collectively learned a lot about what it takes to design and build a security protocol.
Though we are not aware of specific problems with TLS 1.0 that require immediate action, several aspects of the design are neither as strong or as robust as we would like given the nature of the Internet today. Most importantly, TLS 1.0 does not support modern cryptographic algorithms.
The Internet Engineering Task Force (IETF) no longer recommends the use of older TLS versions. A draft document describes the technical reasons in more detail.
We will disable TLS 1.1 at the same time. TLS 1.1 only addresses a limitation of TLS 1.0 that can be addressed in other ways. Our telemetry shows that only 0.1% of connections use TLS 1.1.”
According to Mozilla, 93.12% of TLS sessions in August and September 2018 (using Firefox Beta 62) were with TLS 1.2, and 5.68% of TLS sessions used TLS 1.3. TLS 1.3 is pretty new. It launched in August 2018.
The major web browser developers have announced that they will drop TLS 1.0 and TLS 1.1 nearly a year and a half in advance in order to give webhosting companies and cloud services providers plenty of time to phase the old versions of TLS out.
Replacing older versions of TLS with newer versions takes a lot of work. Web servers will need to be replaced or updated. Certificates and PKI systems will have to adapt. When major changes like upgrading TLS are deployed, they also must be thoroughly tested. So updating to TLS 1.2 or TLS 1.3 absolutely cannot be done overnight.
You have been warned, so the time to start working on the TLS upgrade to your web services is now.
TLS Machine Identity Management for Dummies
Related posts