You need to update all of your services to use a minimum of TLSv1.2 for secure connections. I wonder if all of the browser vendors thought this was a great idea and worked together to make it happen. Just to make it a trifecta, Safari will also be dropping support for Legacy TLS on the same timeline too. It's not just Chrome either, Firefox announced they are going to drop all support for both TLSv1.0 and TLSv1.1 in March 2020 and they announced this all the way back in October 2018! You can visit the Bad SSL test site for yourself to see the warning if your version of Chrome is up to date. Chrome is now warning users about sites that they visit that are using either TLSv1.0 or TLSv1.1 for the connection. Well, as I said, it'd be good to remove these legacy versions now but it's more important we upgrade to support higher versions and we do have some encouragement beyond me telling you it's a good idea. It's worth noting that my crawler doesn't support TLSv1.3 yet so there's a good chance some of the TLSv1.2 sites could upgrade even further, however for the purposes of this blog post, that's not really a problem. It shows the vast majority of sites are already on the newer TLSv1.2 and only a small fraction are depending on Legacy TLS as their highest supported protocol version. If we take a look at my own data from Crawler.Ninja we can also see that most of the sites in the top 1 million sites on the Web won't be affected by this change. It seems that removing TLSv1.1 is likely to be a minor issue because it was never really widely used and TLSv1.0 is still tailing off with a small amount of sites depending on it. TLSv1.1 is that little orange line running along the bottom that barely moved this whole time. We see that during the massive rise of TLSv1.2 it was TLSv1.0 taking a fall, not TLSv1.1 as you might expect. There's some good data gathered from SSL Pulse and we can see here the best version of TLS supported by sites scanned. If we look at the data, how much impact would removing these legacy versions of TLS have. For these reasons, it's time that the older versions of TLS were laid to rest before they become too old and weak and end up broken whilst we're still using them. In 2018 we took an even larger leap with TLSv1.3 making yet more significant leaps in security and performance. With the standardisation of TLSv1.2 in 2008 we took a really big leap forwards not only in the security the protocol offered but also the performance of the protocol. It's fair to say that both of these protocol versions are old, really old. TLSv1.0 was released in 1999, that's more than 20 years ago(!), and TLSv1.1 was released in 2006, more than 14 years ago. With TLS having taken some great steps forwards in recent years, with TLSv1.2 in 2008 and TLSv1.3 in 2018, it's time to start dropping support for the legacy versions of TLS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |