Why is TLS 1.0 being deactivated?
30 Oct 2017At Memset, maintaining a really strong SSH (Secure Shell) and TLS (Transport Layer Security) configuration and cipher set is something that we pride ourselves on.
Many an Ops individual has lost an evening to chasing that ever-elusive SSL Labs A+. Whilst we always maintain a 'secure enough' configuration, reaching security perfection is what we at Memset strive for. In order to achieve this, we are required to turn off certain features that may impact on a small proportion of our users, particularly those with older systems. Until recently, one of those thorny issues for internal debate was support for TLS1.0.
TLS1.0 is the original version of the Transport Layer Security protocol, originally based on SSLv3 and is the protocol that secures HTTPS. In April 2016 the PCI (Payment Card Industry) council released version 3.1 of their Data Security Standard (DSS), a key point of which was that TLS1.0 could no longer be used after 30th June 2018. This was in response to attacks such as POODLE in December 2014, where vulnerabilities in TLS were exploited.
The PCI-SSC council sets the requirements for the PCI-DSS compliance required to process credit card transactions.
A canned history of TLS
TLS stands for Transport Layer Security and is the protocol that's behind HTTPS and the padlock in your browser when visiting certain websites. TLS protects your data when being sent over the internet from interception by encrypting the contents of messages and by ensuring that the server you're connecting to is the right one, meaning you can more safely enter a password to log into an account, buy something online or access your bank.
TLS was developed in the 1990s by the folks at IETF (Internet Engineering Task Force) to replace the older SSL, or Secure Sockets Layer, which provided the same kind of protection but has been found to have a number of critical security vulnerabilities in recent years. These include issues that made it into the general press such as the famous 'Heartbleed'. TLS is markedly stronger and more modern than SSL, but as with any application, new vulnerabilities are found over time and new versions released.
TLS 1.0 has been found to suffer a number of vulnerabilities, the BEAST exploit is an example of, a number that attackers have taken advantage of to date.
The TLS 1.1. and 1.2 implementations used by Memset are considered to be 'strong' by the security industry at large and so are reliable for now.
Memset switches off TLS 1.0
With security a key focus at Memset, we have taken the decision to deprecate support for TLS 1.0 from all encrypted endpoints as of Wednesday 15th November. This follows in the footsteps of pioneers such as Salesforce and Trend Micro and ensures that our customers are receiving the most secure service possible from our infrastructure. Following this date should you get a message such as "This page can't be displayed" or similar, then you should confirm that your browser, operating system or application attempting a HTTPS connection to Memset infrastructure and websites supports TLS 1.1 or 1.2.
What happens next?
What is Memset changing?
Memset is removing support for TLS 1.0 on all Memset infrastructure, including webservers, customer control panels, API endpoints and MemShell servers.
How will it impact me?
Any attempts to connect to Memset websites, control panels, APIs or MemShell using any version of TLS lower than 1.1 will fail. TLS 1.1 and 1.2 are still supported, so if you are using either of these you will not be impacted.
What do I need to do?
Customers need to update any browsers or infrastructure that they require to communicate with Memset websites, control panels, APIs or MemShell to versions supporting TLS1.1 or 1.2. Your IT support will be able to assist with this.