And if you’re not ready for it (and more than 40% of the top million sites still support 1.0 and 1.1), your customers could soon be blocked from accessing your online services.But before we get into the challenges this poses to your organization, let’s back up a bit.
A refresher on TLS (and why 1.0 and 1.1 are on the way out)
TLS (Transport Layer Security) is a security protocol that enables privacy and data security for internet-based communications. TLS plays a crucial role in preventing data breaches arising from insecure web applications by encrypting communications between web applications and servers.
TLSv1.0 and 1.1 were released in 1996 and 2006, respectively, so it’s no surprise that they’ve reached end-of-life status. Neither protocol supports modern cryptographic algorithms, and both unnecessarily increase the attack surface and the opportunities for misconfiguration.
The good news is that most encrypted internet traffic now uses TLSv1.2 and 1.3.
In fact, TLSv1.2 has been the recommended version of the Internet Engineering Task Force protocols since 2008. So there’s been more than sufficient time for organizations to transition away from the older versions and enable TLSv1.2. But the bad news is that despite this, there are still a significant number of web applications still supporting 1.0 and 1.1.
More than 40% of the top million sites still offer SSL/TLS 1.0 and 1.1 protocols.
The 2021 TLS Telemetry Report, F5
So, why not just upgrade?
It’s likely your organization needs to remain compliant with standards such as PCI-DSS (which prohibits the use of old versions). And naturally, you want to negate the security and reputational risks of having a public-facing web presence that supports old TLS versions. So, you’d think that the obvious solution from a security standpoint is simply to upgrade your origin web server to accept only TLS 1.2 and above.
It seems logical. However, some of your users may still use old browsers on Windows XP, old Android phones or other devices that do not support TLS1.2 and above which will be unable to connect to your website. As a result, you risk the loss of valued customers, potential damage to your brand, and an increase in negative customer service requests.
Another consideration is non-browser users of your website. If your website supports API consumers or uses third-party code that may be written using outdated libraries, operating systems, or technology stacks, they may not support TLS 1.2 and above.
And to top it off, your security team has no easy way to understand how many of your customers use old browsers, so it’s hard to predict or mitigate the fallout.
Upgrade with minimal impact to user experience
RedShield’s TLS Version Upgrade solution consists of three components. They’re all designed to provide a better customer experience, help you communicate the changes to keep customers on side, minimize the demands on your customer services teams, and support your efforts to improve application security – without losing business. And you can choose one, two or all of them.
1. Pinpoint which systems and users will be affected
RedShield can help you understand what proportion of your visitors are connecting with each protocol version. We can log all requests – bar the request contents – so we can pass on information such as the source IP, target URL, the TLS protocol used, and the user-agent. We can also identify which of your systems require upgrading, as well as their overall usage.
This way, we can help you make customer data-driven decisions to enable a smooth and successful TLS ‘identify and upgrade’ customer communications process.
2. Ensure customers can still access your online services
Disabling TLS 1.0 and 1.1 means browsers that don’t support TLS 1.2 will fail to connect. To improve your users’ experience, RedShield can redirect older browsers to a RedShield hosted landing page (or insert a banner) with information about how to upgrade their browser and operating system so they can securely access the site. The landing page can inform the customer of:
- The security implications of the old protocol;
- The company’s intention to deprecate the protocol on a date;
- Ways to self remediate;
- A contact us mechanism if this is going to be a problem;
- Modify the information on the page with escalating warnings over time, and finally restrict general access using the old protocol with some exceptions.
We additionally provide a regular report with the IP and usernames of all customers who logged in with old browsers, so you can decide how to communicate with them on the need to upgrade.
3. Migrate multiple apps off old protocols with ease:
If you have a legitimate reason for not upgrading – we have a great workaround. We can apply best practice configuration using TLSv1.2 and/or 1.3 on your front-end regardless of the protocols and ciphers used on the web application server. So you can still run TLSv1.0 or 1.1 in the background, without the risk.
And the best news is that we can roll out our solution for multiple applications within just days, and leave it in place for as long as needed.