Deprecation of TLS 1.0 and TLS 1.1
Internet Engineering Task Force (IETF) has released a document where they explicitly state that TLS 1.0 and TLS 1.1 must not be used and they plan to deprecate both protocols by the end of 2019.
It is true that both protocols can be considered as “ancient history” in terms of internet and computer times. TLS 1.0 is already twenty years old as it was first deployed in January 1999. Not surprisingly, the Payment Card Industry (PCI) has deprecated TLS 1.0 since 30 June 2018. Now any e-commerce site or retailer which still uses TLS 1.0 to encrypt credit card transactions will fail PCI compliance. Therefore, PCI has provided guidance to use TLS 1.1, 1.2, or 1.3 in order to securely process credit card payments.
Conversely, TLS 1.1 debuted in April 2006. It featured slight enhancements over TLS 1.0 and was crafted to rectify vulnerabilities identified in TLS 1.0, especially concerning initialization vector choices and the handling of padding errors.
Both protocols have various vulnerabilities and the specific details on attacks against them as well as their mitigations are provided in NIST SP800-52r2 among other documents.
In line with the IETF, Microsoft, Apple, Google, and Mozilla declared that their “best before date” for both TLS 1.0 and TLS 1.1 is March 2020. The major web browser developers have announced that they will drop TLS 1.0 and TLS 1.1 nearly a year and a half in advance in order to give web-hosting companies and cloud services providers plenty of time to phase the old versions out.
Martin Thomson wrote for Mozilla’s blog:“In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1.Though we are not aware of specific problems with TLS 1.0 that require immediate action, several aspects of the design are neither as strong or as robust as we would like given the nature of the Internet today.Most importantly, TLS 1.0 does not support modern cryptographic algorithms.”
In addition, Google’s announcement reads that “TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. Today only 0.5% of HTTPS connections made by Chrome use TLS 1.0 or 1.1. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.”
How to Disable TLS 1.0 and 1.1
There are two methods for disabling TLS 1.0 or 1.1 recommended bySolarWinds:
Disable TLS 1.0 or 1.1 via Registry
- Open registry editor.
- Go to HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
- TLS 1.0 or 1.1 entry does not exist in the registry by default.
- Create a new subkey called "TLS 1.0 or 1.1" under Protocols.
- Create a new subkey called "Server" under TLS 1.0 or 1.1.
- In the Server key, create a DWORD DisabledByDefault entry, set the value to 1.
- Reboot the server.
Disable TLS 1.0 or 1.1 using IIS Crypto (3rd Party Tool)
- Download IIS Crypto GUI from thislink.
- Open IIS Crypto.
- Uncheck the Server Protocols.
- Reboot the server.
What are the risks of using TLS 1.0, 1.1, and other outdated security protocols?
The IETF draft document describes the security reasons in detail.
These versions lack support for current and recommended cipher suites, and supporting these older versions also requires additional effort for library and product maintenance.
- They necessitate the use of outdated cipher suites that are no longer considered secure for cryptographic purposes and do not support the currently recommended cipher suites. Multiple governmental and industry bodies advise against using these older TLS versions. Products that support these older versions unnecessarily enlarge the potential area for attacks and heighten the risk of configuration errors.
- The reliability of both TLS 1.0 and TLS 1.1 is based on an ongoing SHA-1 hash of the messages exchanged. This vulnerability allows an attacker to execute a downgrade attack on the handshake, compromising security far more than contemporary standards deem acceptable.
- The handshake's authentication relies on signatures derived from either the SHA-1 hash or a combination of MD-5 and SHA-1 hashes, which isn't any stronger. This vulnerability provides an opening for an attacker to masquerade as a server if they can exploit the significantly compromised SHA-1 hash.
- Neither TLS 1.0 nor TLS 1.1 allow the peers to select a stronger hash for signatures, making the use of a newer protocol version a one-way road.
- Deprecation also helps product teams gradually eliminate support for older versions, thereby reducing the potential area for attacks and minimizing maintenance efforts for antiquated protocols.
As Apple notes in their announcement, the use of modern and more secure versions of this protocol, such as TLS 1.2 or TLS 1.3 is the preferred way ahead. TLS 1.2 introduced numerous cryptographic improvements, notably in hash functions, allowing the use or specification of the SHA-2 family of algorithms. Additionally, TLS 1.2 incorporated authenticated encryption with associated data (AEAD) cipher suites. In contrast, TLS 1.3 brought a major overhaul to TLS with the intent to counteract threats emerging over time. This update included a revamped handshake protocol, a refreshed key derivation mechanism, and the elimination of cipher suites employing static RSA or DH key exchanges, the CBC operational mode, or SHA-1.
The employment of these versions come with many benefits:
- Modern cryptographic cipher suites and algorithms with desirable performance and security properties, such as perfect forward secrecy and authenticated encryption, that are not vulnerable to attacks such as BEAST.
- Removal of mandatory and insecure SHA-1 and MD5 hash functions as part of peer authentication.
- Resistance to downgrade-related attacks such as FREAK.
Conclusion
Security is not a single property possessed by a single protocol. Rather, security includes a complex set of related properties that together provide the required information assurance and protection. Security requirements are derived from a risk assessment of the threats or attacks that an adversary is likely to mount against a system. The cost of promoting interoperability at the expense of security should be prohibitive.
The existence of TLS 1.0 and 1.1 on the internet acts as a security risk. Clients using these versions are suffering from their shortcomings, while the rest of the internet is vulnerable to various attacks exploiting known TLS vulnerabilities, for almost no practical benefit. In many occasions, the existence of older versions of TLS is due to “just in case” interoperability or because someone forgot to disable them when they activated newer versions.
Replacing older versions of TLS with newer ones takes a lot of work. When major changes like upgrading TLS are deployed, they also must be thoroughly tested.Soupdating to TLS 1.2 or TLS 1.3 absolutely cannot be done overnight.
Venafi TLS Protect can help you overcome any of these obstacles. Contact the experts to learn how.
(This post has been updated. It was originally published on February 19,2020.)
