Is TLS 1.0 more secure than TLS 1.2?

Question

I just wanted to confirm, my system admin is telling me that TLS 1.0 is more secure than TLS 1.2 and told me I should stay on TLS 1.0...is this accurate?

He mentioned that TLS 1.2 is more vulnerable and that TLS 1.0 is more secure. And that the Heartbleed bug is most vulnerable from TLS 1.1. and TLS 1.2 and NOT from TLS 1.0.

Thank you!

Answer 1

Your admin got it real wrong (or there was some translation mishap).

TLS 1.1 and 1.2 fix some issues in TLS 1.0 (namely, predictability of IV for CBC encryption of records). It is possible to work around this issue in TLS 1.0, but it depends on how hard the implementations work at it. So, in that sense, TLS 1.1 and 1.2 are more secure than TLS 1.0, since they are easier to implement securely.

The so-called "heartbleed" is not a protocol flaw; it is an implementation bug that is present in some OpenSSL versions (OpenSSL is a widespread implementation of SSL/TLS, but certainly not the only one). When an OpenSSL version has that bug, it has it for all protocol versions, including TLS 1.0. Thus, when heartbleed applies, it equally applies to TLS 1.0, TLS 1.1 and TLS 1.2. When it does not apply, well, it does not apply.

The source of the confusion is that your admin (or his sources) does not appear to understand or conceptualize the difference between protocols and implementations. TLS 1.0 and TLS 1.2 are protocols described in relevant standards (RFC 2246 and RFC 5246, respectively). A protocol says what bytes must be sent when. An implementation is a piece of software that runs the protocol. OpenSSL is an implementation. It so happens that the "heartbleed" bug occurs in the implementation of a relatively new protocol feature (the "heartbeat extension") that very old OpenSSL implementations don't know about. Thus, very old implementations of OpenSSL don't suffer from heartbleed (though they have other serious issues, being very old). The same very old implementations don't know about TLS 1.1 and TLS 1.2 at all. Thus, in the mind of your admin, the two independent facts coalesced into a single (but flawed) mantra, that wrongly says that heartbleed is a security issue of TLS 1.1 and 1.2.

Answer 2

TLS 1.0

TLS 1.0 was an upgrade from SSL 3.0 and the differences were not dramatic, but they are significant enough that SSL 3.0 and TLS 1.0 don't interoperate.

Some of the major differences between SSL 3.0 and TLS 1.0 are:

• Key derivation functions are different
• MACs are different - SSL 3.0 uses a modification of an early HMAC while TLS 1.0 uses HMAC.
• The Finished messages are different
• TLS has more alerts
• TLS requires DSS/DH support

TLS 1.1

TLS 1.1 is an update to TLS 1.0.

The major changes are:

• The Implicit Initialization Vector (IV) is replaced with an explicit IV to protect against Cipher block chaining (CBC) attacks.
• Handling of padded errors is changed to use the bad_record_mac alert rather than the decryption_failed alert to protect against CBC attacks.
• IANA registries are defined for protocol parameters
• Premature closes no longer cause a session to be non-resumable.

TLS 1.2

TLS 1.2 is based on TLS 1.1, it contains improved flexibility.

The major differences include:

• The MD5/SHA-1 combination in the pseudorandom function (PRF) was replaced with cipher-suite-specified PRFs.
• The MD5/SHA-1 combination in the digitally-signed element was replaced with a single hash. Signed elements include a field explicitly specifying the hash algorithm used.
• There was substantial cleanup to the client's and server's ability to specify which hash and signature algorithms they will accept.
• Addition of support for authenticated encryption with additional data modes.
• TLS Extensions definition and AES Cipher Suites were merged in.
• Tighter checking of EncryptedPreMasterSecret version numbers.
• Many of the requirements were tightened
• Verify_data length depends on the cipher suite
• Description of Bleichenbacher/Dlima attack defenses cleaned up.

This answer is based on the following sources:

• stack exchange discussions
• Comparison between TLS versions
• NIST recommendation from Jan 2015 to use TLS 1.2

Answer 3

Whoever told you this probably doesn't quite get what Heartbleed is about: it's an implementation-specific vulnerability (in some versions of OpenSSL), it's not really related to the version of SSL/TLS.

From http://heartbleed.com/:

The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS (such as the BEAST).

This doesn't say in any way that TLS 1.1 and 1.2 are more vulnerable than 1.0. It just means that, older versions of OpenSSL didn't have that bug, but they didn't support TLS 1.1 and 1.2 either. When upgrading to newer versions of OpenSSL in order to get support for newer versions of TLS (because of issues with older versions of TLS), other changes had been made to the OpenSSL code base, including the introduction of that bug. This has more to do with the OpenSSL development timeline than the TLS versions.

OpenSSL has since been fixed for this particular issue (so using a version that is not vulnerable is obviously recommended).

In general newer versions of TLS have security improvements, in particular TLS 1.2 has support for cipher suites that are generally considered more secure.

Answer 4

And that the Heartbleed bug is most vulnerable from TLS 1.1. and TLS 1.2 and NOT from TLS 1.0.

It might be that your admin mixed up some facts: It is true, that Heartbleed is in a way connected to TLS 1.1 and TLS 1.2. But the connection is only, that the OpenSSL release 1.0.1 not only added support for TLS 1.1 and TLS 1.2 but also introduced support for the Heartbeat extension. The Heartbleed bug was caused by implementation errors in the handling of this extension. And thus only the newer servers supporting TLS 1.1 and TLS 1.2 where affected by the problem.

The Heartbleed bug is now fixed, but the support for TLS 1.1 and TLS 1.2 and also the Heartbeat extension is still there. Also, other TLS stacks have support for the newer TLS versions without having support for the Heartbeat extension at all.