6

In light of recent developments on SSL issues such as BEAST and POODLE, I decided to configure my browser to only allow TLS1.1 and higher. The trouble is, that I am finding a lot of websites which do not work correctly (some websites serve all JS and CSS resources as HTTPS always) or at all. A bit of digging usually reveals that there is no cipher overlap, or no protocol overlap. In a lot of cases, I found websites are only accepting maximum protocol version of TLS1.0.

My question is, is there some good reason from a security perspective to allow only TLS 1.0, or is it simply pure "laziness", and there is no good reason not to allow TLS1.1 and TLS1.2 in addition to TLS1.0?

user1207217
  • 173
  • 1
  • 1
  • 6

4 Answers4

8

is there some good reason from a security perspective to allow only TLS 1.0, or is it simply pure "laziness"

It is in most cases just the TLS stack used. One of the most common stacks in web servers on UNIX/Linux is OpenSSL and the still widely used (and supported) versions 0.9.8 and 1.0.0 can do only TLS 1.0 and lower. TLS 1.1 and TLS 1.2 were only added with version 1.0.1 (04/2012). On the Windows side SecureChannel supports TLS 1.1 and TLS 1.2 since Windows 7 and Windows Server 2008 R2 (end of 2009).

And while changing the TLS stack might be doable for some sites it involves is most cases either the upgrade of the operating system or at least to run some parts of the system in a configuration not supported by the vendor.

and there is no good reason not to allow TLS1.1 and TLS1.2 in addition to TLS1.0?

If the server has support for TLS 1.2 there is no real reason to set the server up for only TLS 1.0. In fact, TLS 1.2 not only gives better security but also new cipher suites which can lessen the load on the server.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • You say that TLS 1.1 and 1.2 were "only" added in OpenSSL three years ago, but that is a really long time. And thats considering that OpenSSL is late to the party in that time to implement them as well... – user1207217 Apr 10 '15 at 00:02
  • First, 1.0.1 had to mature a bit. And first users were burned by the Heartbleed attack. Then even three years is not a long time in terms of updates to IT infrastructure. This excludes RHEL5 (Redhat) which is heavily used and still supported for years. And with larger installations you do not simple upgrade a part because there are lots of unexpected things which might break or need to be reconfigured. Combine this with a shortage of qualified IT personal and you can see why you even still finds lot of Windows XP installations and companies rather pay for extended support. – Steffen Ullrich Apr 10 '15 at 03:13
  • For Java, also of some importance server-side, **Java7 in mid-2011** added 1.1 and 1.2. And also an ECC provider, enabling ECDHE (and other ECDH). – dave_thompson_085 Nov 21 '15 at 04:53
6

No, there is absolutely no security related reason to continue to support TLS 1.0, but there are several other business concerns which can twist the arm of a system engineer into allowing it. For larger sites, they may be trying not to leave people with older browsers out in the cold. For some situations, the person publishing the website needs to assume you are using I.E 6 with no updates.

It sounds ridiculous, and it is, but it's a fact of life.

That said, if the server doesn't support anything above TLS 1.0, that's a problem no matter how you slice it. You should e-mail them about it. Or, if it's not fixed, stop using the site.

Sometimes it only takes one angry e-mail to set things right.

Edit: I shall emphasize that supporting a legacy operating system or software stack is no excuse for exposing your users to encryption with major known faults.

MrSynAckSter
  • 2,020
  • 10
  • 16
  • It is not a problem for a server to support both TLS 1.0 for older browsers and TLS 1.2 for newer browsers. The client sends the protocol version it can do and the server then uses the best it can offer to match the clients protocol version. Actually the majority of the servers is setup this way and thus can handle different protocol versions from the clients. – Steffen Ullrich Apr 07 '15 at 21:32
  • Enabling lower versions of TLS leaves you open to downgrade attacks. It would be *objectively* better to stop offering TLS 1.0, even for older browsers. There is no sound excuse to be using an ancient browser in this age. – MrSynAckSter Apr 07 '15 at 22:13
  • And I shall add, that if you are justifying keeping TLS 1.0 around by saying you are avoiding an Operating System, or software update, you are practically mortgaging your user's security for your own comfort. – MrSynAckSter Apr 07 '15 at 22:17
  • Newer browsers provide protection against downgrade attacks by sending the TLS_FALLBACK_SCSV pseudo cipher. And as far as I know there is currently no known real-world exploit which can be used by downgrading to TLS 1.0. – Steffen Ullrich Apr 07 '15 at 22:18
  • That doesn't mean that there wont be in the future. Software is not meant to live forever. Retire the bad ciphers. – MrSynAckSter Apr 07 '15 at 22:18
  • In a perfect world it would be easy to upgrade to a new major software version without any side effects. Unfortunately in reality there are lots of costs associated with upgrading the TLS stack because there need to be time, resources, lots of testing and maybe there is some legacy software making problems. Apart from that there are usually a lot more and far worse security problems to fix, like all these XSS, SQL injections... which cause real problems now and not potential problems later. So one has to decide which is more important to the security of the user. – Steffen Ullrich Apr 07 '15 at 22:23
  • "Retire the bad ciphers." - protocol versions are not ciphers. You can and should retire ciphers like RC4 now but you can still keep the protocol version. And you don't even have to upgrade the TLS stack for this. – Steffen Ullrich Apr 07 '15 at 22:27
  • Retire the bad protocols then. You aren't really challenging the main thrust of my point. TLS 1.0 has to go. If keeping it helps your bottom line, fine, but that's an economic decision - not a security decision. – MrSynAckSter Apr 07 '15 at 22:30
  • I agree that one should get rid of outdated protocols as soon as possible and preferable before real security issues are known. Unfortunately currently there are still enough clients out there which can do only TLS 1.0, like some older browsers on Android or Windows XP and lots of smaller scripts etc. – Steffen Ullrich Apr 07 '15 at 22:35
  • Again, that's not a security decision. It's an economic decision. It would make the Windows XP folk more *secure* to give them no service at all, rather than faulty service. This is an unsupported OS at this point. Also: Let's agree to disagree, as these types of arguments are generally discouraged in comments. – MrSynAckSter Apr 07 '15 at 22:38
  • 3
    +1 for angry e-mail. This is my current strategy, although my banking site did not take me seriously, and decided to claim that it was implementing "maximum commercially available security", which is obviously laughable. Is there some way to encourage more users to have >=TLS1.1 set in their browser to help find and shame these websites? I cannot do it alone... – user1207217 Apr 10 '15 at 00:05
  • 1
    I suggest sending them their grade from SSLLab's Server Test https://www.ssllabs.com/ssltest/index.html to entice them to up their security. – reukiodo May 19 '15 at 01:12
  • If you're suggesting that you can disable TLS 1.0 on your webserver and below and only affect IE6, you'd be drastically mistaken. Only IE11 and above have TLS 1.1 enabled by default. As a security professional, you should be balancing security with usability rather than always simply pushing security. Browser TLS/SSL support matrix: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers – Steve Sether Nov 20 '15 at 22:03
  • @Steve for IE Windows version matters more than IE version (although newer Windows often requires or "encourages" newer IE); I can confirm IE9 on WinSeven and Server2008R2 did TLS1.1 and 1.2, as Steffen's answer indicates. (Possibly only with an SP, don't recall that exactly.) – dave_thompson_085 Nov 21 '15 at 04:54
  • @dave_thompson_085 If that's true then the browser security matrix I linked to isn't accurate (it includes OS as part of the matrix). That's possible, but without further evidence I'd still trust wikipedia. – Steve Sether Nov 21 '15 at 15:22
3

There is no security benefit in disabling TLS1.1 and 1.2 in favor of 1. And there is actually no compatibility benefit either*.

The reasons why some sites only support TLS1 is, that the software and/or configuration is simply too old.

Just stating the obvious, disabling all protocol versions older than TLSv1.2 is a security benefit as all of them have known weaknesses compared to 1.2.

* On server side. It is unfortunately a bit different for clients which have to talk to very old and broken servers. They might not want to offer TLS1.1 or TLS1.2 for compatibility reasons. Or actually if they offer it, they might want to retry without.

eckes
  • 962
  • 8
  • 19
  • There is BTW a performance benefit for some clients like Java, if TLS1.2 is enabled it will offer AES-GCM and some server pick that. This is dog slow compared to AES-CBC. This was only recently improved in Java 9, but still not up to the speed of CBC (and we are talking here way below 10mbits line speed) – eckes Sep 02 '16 at 21:42
1

An update for all those who might discover this question. It's now 2017, and TLS1.0 is deprecated and should not be used.

Indeed, if you have any form of credit card interactions on your site (even if the credit card data is posted directly to the payment gateway site, and does not touch your server) then, in order to comply with PCI/DSS rules, TLS1.0 has to be disabled on the server, effectively cutting off older browsers.

And by 'older browsers' we are talking anything up to IE10 on Windows 7!

Edit: As pointed out below, TLS1.0 is still officially allowed on existing sites until the end of June 2018. However, this does not seem to filtered down to all the testing services, so you may find even existing sites are required to stop supporting TLS1.0 sooner than expected.

cyberspy
  • 111
  • 2
  • 2
    TLS 1.0 is deprecating and should not be used for new projects, but PCI/DSS still allows it until June 2018 (see [this question](https://security.stackexchange.com/q/87071/32746)). – WhiteWinterWolf Jul 24 '17 at 12:00
  • @WhiteWinterWolf - Interesting. The ASV we use (Lloyds Bank Card Net) failed us recently for still supporting TLS1.0, for an existing web site. I've already removed TLS1.0, so I won't be going back to them to argue about keeping it. For clients that don't support TLS1.2, which we estimate to be around 1% of our visitors, I've written same JavaScript that does a jquery Ajax call to a secure page on the site, and uses the 'onerror' callback, to display a banner recommending they upgrade. Of course, if they land on a HTTPS page, they just get the in browser error. – cyberspy Jul 31 '17 at 08:27