Google, Apple, Microsoft, and Mozilla announced
in 2018 that their browsers would no longer support TLS 1.0 and TLS 1.1
protocols from 2020. In early 2020, these companies started the process of
disabling support for TLS 1.0 and TLS 1.1 in their browsers in a bid to make
the internet more secure. The main reason - serious vulnerabilities and
security risks were identified with the TLS 1.0 and TLS 1.1 protocols.
In this article, we will explore what these
security risks are and what organizations can do to prevent them.
What is TLS 1.0 and TLS 1.1 Protocols?
Transport Layer Security (TLS) and Secure Socket
Layer (SSL) are security protocols that have for decades provided encryption
and security to make modern internet commerce a reality. TLS is the more
secure, updated version of SSL that came into being in 1999. When a website/
web application is protected by the TLS protocol, visible signs such as https and/or
padlock in the address bar, etc. appear. This indicates to the user that the
connection is secure.
Four versions of the TLS protocols are in use
currently - TLS 1.0, TLS 1.1, TLS 1.2 and the recently released fourth version -
TLS 1.3. TLS 1.0 is the oldest form of the protocol
that was introduced in 1999. TLS 1.1 was introduced in 2006. Both these
versions were found to have some gaping security holes. That is why TLS 1.2 was
introduced in 2008.
Why Are Browsers Disabling TLS 1.0 and TLS 1.1?
As discussed in the previous section, TLS 1.0
was the first TLS protocol to be released. It has been over 20 years since its
release and that's an eternity in the IT and IT security landscape where much
has changed. TLS 1.0 is outdated and vulnerable. TLS 1.1, despite being an
upgraded version, had only minor improvements. These updates addressed weaknesses
in the areas of padding error processing and selection of initialization
vectors.
TLS 1.0 and TLS 1.1 rely on the cryptographic
hash functions - SHA-1 and MD 5. Both these hash functions are broken and
contain known vulnerabilities that can easily be exploited. When the integrity
of the communication and the authentication of the TLS handshake depends on
these broken hash functions, attackers could easily perform downgrade attacks
and impersonation attacks.
Both these protocols support weak cryptography
that is incapable of providing sufficient protection to modern-day connections.
TLS 1.0 and TLS 1.1 do not allow the selection of stronger hash functions. They
require the implementation of older, outdated cipher suites that further
increase the attack surface and make the application vulnerable to
misconfigurations.
Given how old these protocols are, attackers
have found ways to exploit the prevalent vulnerabilities in TLS 1.0 and TLS 1.1
including BEAST, POODLE, LUCKY 13, SWEET 32, Heartbleed and CRIME, among others.
These vulnerabilities were exploited for several notable attacks and data
breaches over the years. They enable attackers to decrypt HTTPS and access
users' plaintext web traffic.
Implications of Using the Deprecated TLS
Protocols
TLS 1.2 and TLS 1.3 are both considered
superior and more secure protocols that support strong cryptography. Despite
the availability of stronger versions, a sizable proportion of websites and web
applications continue to support the outdated protocols. Given the scenario, the
removal of client-side support for such protocols is an effective way to ensure
users are not affected.
PCI-DSS was the first to disable TLS 1.0 in
2018 and this spurred browsers into taking action. Websites need to disable TLS
1.0 to remain PCI compliant. Non-compliance attracts monthly fines to the tune
of USD 100,000.
1.
As a first
step in disabling TLS 1.0 and TLS 1.1, browsers showed a ‘NOT SECURE' warning
in the address bar and the lock symbol will also suggest that the connection is
not secure. Continued use of the deprecated TLS protocols will lead to full
page warnings when users try to connect to such websites. The organization's
reputation takes a big hit and user trust and confidence are affected.
Data suggests that over 850,000 websites use HTTPS but with
the burden of TLS 1.0 and TLS 1.1 security risks. All these websites (which
includes banks, financial institutions, e-commerce companies, media, government
agencies and so on) will be affected.
Measures that Organizations Must Take
In the wake of major browsers deprecating TLS
1.0 and TLS 1.1, the organization must
- Enable secure TLS 1.2 and TLS 1.3 protocols.
- Scan to identify the outdated protocols and
disable them. outdated protocols.
- Disable SHA-1 and MD 5 hash functions.
- Use SHA-2 and secure, recommended cipher suites.
- Thoroughly test the newly upgraded protocols to
prevent misconfigurations.
The Way Forward
Upgrading the TLS protocol is time-consuming
and arduous. Several applications, software and components still use older
protocols. This makes it challenging for websites to replace these outdated
parts without causing service disruptions. However, disabling TLS 1.0 and TLS
1.1 is critical from a data security, cost, and business continuity
perspective.
Enhance your TLS protocol with Entrust from Indusface to enable more modern and secure cryptography
solutions supported across modern browsers.
##