Tech Titans Take on Obsolete TLS Protocols: Microsoft and Google Lead the Charge

Microsoft Plans to Disable Older Versions of TLS Protocol

Microsoft has announced its plans to disable older versions of the Transport Layer Security (TLS) protocol, citing security concerns and the deprecation of these versions by internet standards and regulatory bodies. TLS is a critical communications encryption technology used to protect information sent over networks and the internet. Microsoft recommends that businesses and users migrate their systems to TLS v1.2 or v1.3.

Why the Change?

The decision to disable TLS v1.0 and v1.1 by default on Windows 11 Insider Preview, followed by a broader deactivation on future Windows versions, comes as a response to the recognition of security vulnerabilities in these outdated versions. Over the years, weaknesses in SSL and earlier versions of TLS have prompted technology companies and organizations to push for the adoption of more secure TLS versions.

Microsoft‘s switch to more secure TLS versions is in line with a broader industry trend. Six months prior to Microsoft‘s announcement, Google and its Chromium Project recommended that TLS certificates have a maximum lifespan of 90 days, significantly less than the current maximum of 398 days. This change aims to drive automation in certificate infrastructure management, leading to improved security agility and faster adoption of emerging security capabilities.

Preparing for the Transition

Companies planning to transition to TLS v1.2 or v1.3 should first inventory their TLS endpoints, review their collection of certificates, and identify other technical components. The move towards shorter certificate lifetimes necessitates automated management of keys and certificates. An automated solution can provide continuous scanning of hybrid multi-cloud environments, ensure visibility into crypto assets, and maintain an updated inventory to identify expired and weak certificates. Full certificate lifecycle management automation allows for re-provisioning, auto-renewal, and revocation of certificates.

The transition to TLS 1.3 is already in progress, with more than one out of every five servers (21%) using this version. TLS 1.3 offers significant performance benefits, including zero round-trip time key exchanges and stronger security compared to TLS 1.2. Many organizations currently use TLS 1.2 internally and TLS 1.3 externally.

Implications of Ubiquitous Encryption

While the widespread adoption of TLS 1.3 and DNS-over-HTTPS brings enhanced security, it also presents challenges for security visibility. As network traffic becomes increasingly encrypted, security monitoring tools may be hindered in inspecting the contents and destinations of traffic, potentially compromising threat detection capabilities. The security community is actively working on solutions to address this issue and restore visibility to the network.

The Rarity of TLS Vulnerabilities

Although TLS vulnerabilities exist, they are relatively rare in terms of actual attacks seen in the wild. Attacking encryption infrastructure is highly complex and requires sophisticated tools and techniques, making it an unattractive option for most attackers. When vulnerabilities are discovered, they have the potential to impact a significant portion of the internet due to the widespread use of TLS encryption.

For example, in 2014, the Heartbleed vulnerability in the OpenSSL library led to an urgent race to patch major servers before attackers could exploit the flaw. Additionally, the discovery of a vulnerability in SSL v3.0 resulted in the industry swiftly disabling the protocol to prevent the POODLE attack, which exploited this vulnerability. However, TLS threats are often an indication of outdated applications or servers that may have other, easier-to-exploit vulnerabilities that attackers would typically target.

While TLS 1.0 and 1.1 will continue to be supported due to a small number of mission-critical applications reliant on these protocols, companies should acknowledge the security risks associated with outdated versions and prioritize migration to more secure TLS versions.

Conclusion: The Need for Enhanced Security and Migration

Microsoft‘s decision to disable outdated versions of the TLS protocol reflects the industry’s ongoing efforts to improve internet security. Businesses and users are urged to migrate to TLS v1.2 or v1.3 to benefit from stronger encryption and enhanced security features.

However, this transition brings challenges such as the potential loss of network visibility due to increased encryption. The security community is actively working to address this issue and develop solutions that restore visibility and maintain robust threat detection capabilities.

While TLS vulnerabilities are relatively rare, organizations should be mindful of the need to keep their systems up to date and monitor for emerging threats. Automated management of keys and certificates is essential for maintaining a secure and efficient certificate infrastructure.

Ultimately, the industry’s push towards more secure TLS versions is a step in the right direction to ensure the protection of sensitive information transmitted over networks and the internet. Companies should embrace this transition, taking precautions to mitigate risks and prioritize the security of their systems.