Deprecating TLS 1.0 and 1.1 - Enhancing Security for Everyone
Out with the old and in with the new is an inevitable part of the tech industry. Things can change quickly and it's important to keep an eye on new software releases while simultaneously moving away from outdated versions. Today, we would like to announce that we will be deprecating TLS versions 1.0 and 1.1 on March 30, 2018, and moving ahead with improved ciphers for enhanced security.
What is TLS?
If you aren't familiar with TLS, here's a quick primer. TLS stands for Transport Layer Security which is a cryptographic protocol used to increase security over computer networks. It can be used within a variety of applications including securing of data over HTTPS, FTPS, SMTP, etc.
Even if you don't follow web security too closely you've likely heard of the term SSL. SSL and TLS are many times used interchangeably, however, SSL is actually an older, less secure version of TLS.
There are a few important benefits of implementing TLS, such as:
- Improved security
- Instills trust
- Can be easily deployed (via Let's Encrypt)
- Provides the ability to use HTTP/2
- Provides the ability to use Brotli
To learn more, check out our complete overview of what is SSL TLS.
Why are we deprecating TLS 1.0 and 1.1?
TLS 1.0 and 1.1 are both fairly dated versions of the TLS protocol. TLS 1.0 was published in 1999 as RFC 2246 while TLS 1.1 was published in 2006 as RFC 4346. Many improvements have been made since the release of these versions and upgrading to the current standard (TLS 1.2) is now considered the safest and most reliable method of delivering encrypted content over the Internet.
To give you an idea, here are couple major attacks which TLS 1.0 and 1.1 are vulnerable to:
- POODLE - A man-in-the-middle attack that would downgrade the connection to a protocol that was vulnerable to the attack. Poodle primarily targeted SSL 3.0, however, TLS 1.0 and 1.1 were also vulnerable to POODLE as they accept incorrect padding structure after the decryption.
- BEAST - Another man-in-the-middle attack that would take advantage of a vulnerability in the Cipher Block Chaining mode in TLS 1.0 and use it to decrypt data exchanged between two parties.
Furthermore, the PCI Data Security Standard (PCI DSS) requires that you disable the use of any SSL/TLS 1.0 implementations by June 30, 2018. TLS 1.1 will still be accepted by PCI although they strongly recommend using TLS 1.2. Given the vulnerabilities TLS 1.0 and 1.1 are susceptible to and the recommendations provided by PCI, we'll be deprecating support of both of these versions and moving ahead with more recent versions of the TLS protocol.
What this means for you
As a KeyCDN user, nothing needs to be modified on your end due to this change. TLS 1.2 is compatible with all recent major browsers versions.
Most browsers have been supporting TLS 1.2 for at least a few versions with the exception of Internet Explorer. The most recent version (IE 11) does indeed support TLS 1.2 however in versions 8-10 TLS 1.2 must be enabled manually and it is not supported in versions prior to 7.0.
In the event that a visitor is using a version of IE prior to 11, we recommend that you ask them to upgrade to the latest version or change browsers. If this is not possible, IE versions 8-10 do have an option under Tools > Internet Options > Advanced to enable the Use of TLS 1.2
TLS 1.2 and (eventually) TLS 1.3
As of March 31, 2018, we will solely be supporting TLS 1.2 on all of our edge servers. TLS 1.2 comes with a few improvements over TLS 1.1, including:
- The MD5/SHA-1 combination in the pseudorandom function (PRF) is replaced with SHA-256 with the option to use the cipher-suite-specified PRFs.
- The MD5/SHA-1 combination in the digitally-signed element is replaced with a single hash which is negotiated during the handshake.
- Improvements to the client's and server's ability to specify the accepted hash and signature algorithms.
- Support for authenticated encryption for other data modes.
- TLS extensions and AES cipher suites were added.
We've written a guide about TLS 1.2 vs TLS 1.1 if you would like to learn more. Furthermore, we're keeping a close eye on TLS 1.3 and are planning to roll out support once it becomes an RFC standard. This will even further improve both security and performance.
Introducing ChaCha20 and Poly1305
Besides deprecating TLS 1.0 and 1.1 with the goal of enhancing security, we would also like to announce that we're introduced the ChaCha20-Poly1305 cipher suites for TLS. The implementation of ChaCha20 and Poly1305 comes with the benefit of better security and performance. These cipher suites will be active on all KeyCDN edge servers by the end of Q1, 2018.
The ChaCha20 cipher is known to be considerably faster than the AES. According to RFC 7539, ChaCha20 is three times faster on platforms that lack specialized AES hardware which includes Android devices, certain wearable devices, and older computers. ChaCha20 is also immune to padding-oracle attacks and timing attacks.
Poly1305 is a high-speed message authentication code. According to Google's security blog, Poly1305 saves on network bandwidth since it only outputs 16 bytes. A graph showing the expected acceleration of Poly1305 compared to AES-GCM is featured below.
Currently, there are two major browsers (Chrome and Firefox) that support ChaCha20 and Poly1305. Therefore, these browser users will benefit from the enhanced security and performance that these cipher suites have to offer. The remaining browsers will continue to use AES_GCM until support has been adopted.
Overall, by moving forward with updated versions of TLS and enhanced cipher suites, our goal is to provide a safer and faster user experience for everyone. As mentioned above, TLS versions 1.0 and 1.1 will be officially deprecated on March 30, 2018, while the ChaCha20 and Poly1305 cipher suites will be active by the end of Q1, 2018.
Have any questions about the upcoming changes? Let us know.