1

We recently went through a third party review of our systems where the consultants have reported a finding that we have TLSv1.0 enabled. In the report they are referring to this NIST document which recommends (Page 28):

If the server supports government-only applications, it shall not be configured to support TLS version 1.0. If the server supports citizen or business facing applications, it may be configured to support TLS version 1.0.

We are not the government but for the sake of a security I decided to run the online SSL Analyzer and check if there are any issues. It did not show any red flags. My question is, Do we really need to disable TLS 1.0 altogether.

We are dealing with Admin portal of a web application which does not contain any kind of payment features so PCI-DSS is not a requirement for us.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • See also [What are the risks of using TLS 1.0 for web applications?](https://security.stackexchange.com/questions/106305/what-are-the-risks-of-using-tls-1-0-for-web-applications) – Sjoerd Feb 06 '18 at 20:28

1 Answers1

3

Before you disable this get an audit of browsers connecting to your site. You need to cross reference this with TLS 1.0 support. This will give you an idea of your customer base that requires this as if they can't support anything over TLS 1.0 you will be cutting them off.

As for do you need to cut it off, what does your app do? What regulations does your industry follow?

McMatty
  • 3,192
  • 1
  • 7
  • 16
  • Thanks for the idea of looking at browsers being used by our clients. We do not come under PCI-DSS or HIPAA. The app is built for the Education sector. – Shurmajee Feb 06 '18 at 19:04