Why we disable TLS 1.0 & 1.1

Let’s start with a simple explanation of what TLS is for anyone who doesn’t know…

In the beginning (well in 1995) there was SSL, a cryptographic protocol for encrypting information over an internet connection. SSL evolved over time and in 1999 the name of the version was changed to TLS. You will hear a lot of people still referring to SSL, but unless thy are talking about a protocol that has been deprecated for over a decade, they actually mean TLS.

The most common use of TLS is as HTTPS, an implementation of the encryption on top of the HTTP protocol that serves web pages, and the thing that give you the little padlock in the address bar above.

Like everything in tech, new versions of the protocol come and older ones are deprecated, with TLS this doesn’t move fast but it does move. Since this is a security protocol, encrypting information that you send over the net like payment information and personal details, it seems like a good idea to stay up to date with the latest most secure versions.

We disable old TLS (and ancient SSL) versions by default on our servers and if you are on a shared hosting plan then there is no way to re-enable it. If you are on your own managed VPS and have a valid reason why you need to support them then we might do it, but there aren’t many valid reasons. These are very simply old and now unsafe protocols.

It’s strange then that if you use a tool like internet.nl to check whether a site is using modern internet protocols, you will find that both Google and Facebook are still supporting TLS 1.0 and 1.1

Why?

Well, it could be argued that it’s to allow more universal access. That some people don’t have the newest computer or phone with the latest browser installed.

That argument doesn’t really stand up though. TLS 1.2 has been supported for a long time now, since 2012 in Android, and since 2013 in Chrome and Firefox.

I’m sure that there are plenty of people all over the world who are using a computer that is more than eight years old, and if it does what you need then why wouldn’t you. But you don’t need the latest hardware to update your web browser, and they will all either auto-update or bug the hell out of you with messages telling you to do it yourself in a much shorter time frame than that.

Anybody who does update their browser regularly won’t be able to use older TLS versions soon even if they wanted to. Mozilla, Google, Microsoft and Apple had all vowed to remove support for the old protocols from their browsers in the first half of 2020, but for some reason it hasn’t happened yet. Mozilla actually did deprecate them in a March release of Firefox but then re-enabled in the next release, the reason they cited for this was:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

Yes, it seems that the US government is way behind the times when it comes to updating their online security protocols and has many sites that don’t support newer TLS versions, which is pretty poor really.

It’s no excuse for anyone else to be so behind tough and leave their sites open to all kinds of vulnerabilities and we don’t allow that on our servers.

Even within TLS, there are a number of different ciphers that an be used and some of these are also no longer secure in TLS 1.2. We’ll explain more about our cipher selection and policy in the next post.

Leave a comment