Should we descativate Tls 1.1 & 1.0

I just ran an audit of my certificat on https://www.ssllabs.com/ and saw a warning about TLS 1.1 & TlS 1.0.

Is there some recommandation to disable it?

My certificat using
|TLS 1.2 |Yes|
|TLS 1.1 |Yes|
|TLS 1.0 |Yes|

?

Exemple:
https://www.ssllabs.com/ssltest/analyze.html?d=www.bijouxcherie.com&hideResults=on

1 Like

Hi @jd440

read that link:

It's your decision.

PS: You can use a certificate with Tls.1.0, 1.1, 1.2 and 1.3. So it's only a question of your configuration and your clients.

PPS: And read

https://www.rfc-editor.org/rfc/rfc7525.html

from 2015. There are some reasons why Tls.1.0 and 1.1 are deprecated.

5 Likes

Thanks @ JuergenAuer

I’m aware about security matters about 1.0 & 1.1.

But just questioning my self about disabling it.
If 2% of users can’t access to my website it could be annoying.

It seems today ~70% still using it.
https://www.ssllabs.com/ssl-pulse/#chart-protocol-support

And if we check some as G.A.F.A
https://www.ssllabs.com/ssltest/analyze.html?d=www.amazon.com
TLS 1.0 & 1.1 & 1.2

https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com
TLS 1.0 & 1.1 & 1.2 & 1.3

https://www.ssllabs.com/ssltest/analyze.html?d=www.facebook.com
TLS 1.0 & 1.1 & 1.2 & 1.3

https://www.ssllabs.com/ssltest/analyze.html?d=www.apple.com
TLS 1.0 & 1.1 & 1.2 & 1.3

But Mozilla
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite
Recommand only 1.2 & 1.3

Does disabling TLS 1.0 & TLS 1.1 could have positif impact on ssl negociation?

Are you GAFA? Do you have the ressources GAFA has? Do you know what GAFA changes next year?

There is your job: Check your protocols to see, if Tls.1.0 / 1.1 is used.

Last year, I've added such a check. I have a subdomain service and some own sites ("check your website" is one, another is a blog).

Result: Most of the customers -> nobody uses Tls.1.0/1.1. Users with FireFox / Chrome -> no problem. One user with a very old Android (4.*). And one Windows application connecting one database via an API with Tls.1.0.

The application had an update (last year), now most users of that application connect via Tls.1.2. Tls.1.0 users -> they must update the application.

Own domains: Only spam bots.

It's a general question. In 2013 or 2014, there was such a critical situation. A downgrade attack Tls.1.0 -> SSL3, then a hack of the SSL3 connection.

Result (from SSLLabs): Disable SSL3. That was the dead of XP + IE6 users (XP supports only SSL3). In a few days -> a lot of webservers disabled SSL3.

So if the higher protocol allows a (new or unknown / not published) downgrade attack: If there is no lower protocol active, that's not a problem.

1 Like

Unfortunately not.

How do you check it? Only by browser stats in analytics, or logs?

Useful,

I was talking in terms of performance and duration of ssl negotiation

I have an own NET-application. That's the backend of static domains, all customer domains and domains like "check your website".

There it's easy to check the TLS-protocol and create an own log.

I don't think ssl negotiation is a performance problem. There are a lot of other, more critical problems: Too much ressources, no http/2, slow databases or too long queries.

PS: The "critical situation": The Poodle attack - 2014:

As a web site operator, you should disable SSL 3 on your servers as soon as possible. You need to do this even if you support the most recent TLS version because an active MITM attacker can force browsers to downgrade their connections all the way down to SSL 3, which can then be exploited.

2 Likes

Yesterday, I've added a Tls.1.0 / 1.1 check to "check your website".

Now reading some results:

One domain uses Cloudfront / Amazon.

And port 443:

Tls.1.2
Tls.1.1
no Tls.1.0

So Amazon has already removed Tls.1.0 if someone uses such a service.

2 Likes

I gathered SSL stats on my pet website last October:

4% TLSv1
0.02% TLSv1.1
41% TLSv1.2
54% TLSv1.3

It gets quite a number of visitors from the Philippines and Indonesia, who I guess do not own the latest and greatest. I’m not going to deny that 4% just yet. This is just an example of how the situation may differ from website to website.

2 Likes

Yep, that's individual.

Sample: My protocol said: Some users with Windows 7. But Windows 7 has an update, so Tls.1.2 is active. But it's required to activate Tls.1.2 in the IE.

So I've added an information on some start pages: ~~ "You use Tls.1.0. Update your browser or activate Tls.1.2, if you use Windows 7".

Conclusion: Windows 7 users are not a reason not to deactivate Tls.1.0.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.