TLS 1.0 and TLS 1.1 should be disabled by March 2020

In the evolving cyber security space different aspects of website security are being contantly improved from time to time. We’re giving you a heads up about one such upcoming change which could potentially affect the use of your SSL certificate in major web browsers.

What is TLS?

Did you know that the true name of the modern protocol is actually Transport Layer Security (TLS), not SSL? Even though we commonly call them SSL certificates, these certificates actually enable TLS-based encryption. The most recent version of the protocol is TLS 1.3, and the last version to be released under the name SSL, was SSL 3.0 way back in 1996.

What is changing?

Currently most certificates are setup on web servers by enabling support for TLS 1.0, 1.1, and 1.2 encryption. After March 2020 most web browsers will stop using the less secure TLS 1.0 and 1.1. They will only use TLS 1.2 and the latest TLS 1.3 standard going forward from then.

What do you need to do?

If you control your web server configuration, you need to check the website or virtual host configuration in your web server platform and ensure you disable TLS 1.0 and 1.1 standards. If you are technically inclined, you can get more info on recommended TLS server configs here. If you are not able to make this change yourself, you can ask your tech person to handle this.

If you do not directly control your web server configuration such as in the case of shared web hosting you will need to check on this implementation by contacting your web hosting support team.

You can verify that TLS 1.2/1.3 is enabled (and TLS 1.1 and 1.0 are disabled) for your website by using this online testing tool. Scroll down to the Configuration section after the test completes.

What will happen if you do not make the change?

If you have enabled TLS 1.2 in addition to TLS 1.0 and 1.1 then there should be minimal effect. Although by continuing to allow TLS 1.0 and 1.1 connections from the public Internet you will be exposing your web server to known exploits using these older standards.

If you do not have TLS 1.2/1.3 enabled, all the major web browsers will simply refuse to make secure connections to your website/web server. There will be no use of having a SSL certificate setup for your website.

In the interest of providing a secure environment to your website visitors, and avoiding any unpleasant interruption to your online business, we recommend you ensure this change is implemented before March 2020.

Take care and stay secure!

 

Tagged , .