Microsoft is taking steps to disable older versions of the Transport Layer Security (TLS) protocol in an effort to enhance the security of communications encryption used in networks and the internet. While businesses and users will have the ability to re-enable the protocols for backward compatibility, Microsoft strongly recommends migrating systems to either TLS v1.2 or 1.3, according to its latest guidance.
Beginning this month, Microsoft will disable TLS v1.0 and v1.1 by default in the Windows 11 Insider Preview, which will be followed by a broader deactivation on future Windows versions.
TLS and its predecessor, Secure Sockets Layer (SSL), are the standard methods for protecting data in transit on the internet. However, vulnerabilities in SSL and earlier versions of TLS have prompted companies and organizations to advocate for the adoption of more secure TLS versions. The move toward shorter lifetimes for TLS certificates will also encourage companies to automate their certificate infrastructure, leading to improved security agility.
Google’s Chromium Project has proposed reducing the maximum lifespan of TLS certificates to 90 days, a significant reduction from the current maximum of 398 days. These changes are aimed at promoting automation, adopting best practices, and driving the transition to quantum-resistant algorithms.
To successfully make the transition to TLS 1.3, companies are advised to inventory their TLS endpoints, certificates, and other technical components. Automating the management of keys and certificates is crucial due to the shorter certificate lifetimes. Automated solutions can continuously scan hybrid multi-cloud environments to provide visibility into cryptographic assets and maintain an updated inventory to identify expired and weak certificates. Full certificate lifecycle management automation enables certificates to be reprovisioned, auto-renewed, and revoked.
TLS 1.3 adoption is already underway, with more than one out of every five servers (21%) currently using the newer technology. TLS 1.3 offers several advantages, including improved performance with zero round-trip time key exchanges and stronger security compared to TLS 1.2. Many organizations currently use TLS 1.2 internally and TLS 1.3 externally.
However, the move to ubiquitous encryption also presents challenges. As TLS 1.3 and DNS-over-HTTPS become widely adopted, network traffic will no longer be inspectable, potentially affecting security monitoring tools’ ability to detect threats. Solutions are being developed to restore visibility to the network, but it will require active collaboration between security practitioners and vendors.
While TLS vulnerabilities are not commonly targeted by attackers due to the complexity involved, when a vulnerability is discovered, the implications can be widespread. The pervasiveness of TLS encryption infrastructure makes it a valuable target for attackers. Examples of significant vulnerabilities include the Heartbleed vulnerability discovered in the OpenSSL library in 2014, which required urgent patching to prevent data theft, and the POODLE attack, which led to the rapid disabling of SSLv3.
It’s important to note that TLS 1.0 and 1.1 continue to be supported to accommodate a small number of mission-critical applications that cannot be easily patched. Custom applications developed decades ago for specific devices often fall into this category, and their reliance on outdated protocols poses security challenges.
In conclusion, Microsoft’s move to disable older TLS versions highlights the industry’s ongoing commitment to enhancing the security of communication encryption. While there may be challenges associated with the transition, the adoption of more secure TLS versions and shorter certificate lifetimes is crucial for maintaining the integrity and confidentiality of data transmitted over networks and the internet. Companies should prioritize migrating to TLS v1.2 or 1.3, automating their certificate infrastructure, and collaborating to develop solutions that restore visibility to network traffic in the encrypted future.