SSL (Secure Sockets Layer) / TLS (Transport Layer Security) was developed to make the HTTP secure, aka as HTTPS (Hypertext transfer protocol secure) and has changed over time to adapt to the newer encryption methods and latest encryption attacks. The current mainstream version TLS 1.2, was published in 2008 so when does it expire or reach it’s end of life? Looking at the earlier versions that have reached their End of life like SSL, TLS 1.0 and TLS 1.1 we can see a bit of a trend:
Version | Published | End of Life | Years of life |
SSL 2.0 | 1995 | 2011 | 6 |
SSL 3.0 | 1996 | 2015 | 19 |
TLS 1.0 | 1999 | 2021 | 22 |
TLS 1.1 | 2006 | 2021 | 15 |
It appears the maximum number of years is 22years and the average is approximately 15 years. TLS 1.2 being published in 2008 would then have an expected life of 22years to 2023 however we expect it to be longer than this.
One reason to change version is vulnerabilities and TLS1.2 has a lot of vulnerabilities caused by the older cryptographic algorithms that it still supports for compatibility reasons. Also TLS1.2 doesn’t have the latest quantum secure algorithms for protection against quantum computer encryption attacks.
TLS1.3 has resolved this and has removed the older vulnerable cryptographic algorithms and includes quantum secure algorithms (in theory, but not tested, as we don’t have a capable enough quantum computer to test the theory). TLS1.3 is also faster so why don’t we move to TLS1.3 now?
The issue comes back to user support of TLS1.3 which is actually really good now. However, some were slow to the TLS1.3 party such as Bluecoat and Apple. Security is slowed down by the slowest adopter and in this case it is Windows 10 which is EOL in Oct 2025.
Good news is TLS1.3 is supported on current devices and the devices it wasn’t supported on are now End Of life, so they need to be updated.
If we assume it takes 1 year after EOL of non-supporting TLS1.3 devices, then we can assume that by the end of 2023 most computers will support using TLS1.3.
So, starting in 2024 and beyond, we recommend enforcing a minimum of TLS1.3 on your servers.
There is a good chance you are using TLS1.3 to view this website, as it is supported by most websites and is commonly used. The concern is that TLS1.3 is still vulnerable as it allows falling back to TLS1.2. We would expect then TLS1.2 to be End of life over the next couple of years (2026) to give everyone sufficient notice to move to TLS1.3.
Looking to get your data in transit more secure, reach out and chat to the experts at Vertex Cyber Security.
CATEGORIES
TAGS
data in transit - encryption - End of life - EOL - http - tls - TLS1.2 - TLS1.2 End of life - TLS1.2 EOL - TLS1.2 Expiry - TLS1.3