After GitHub had a rocky go of it, now it’s DigiCert’s turn…
The deprecation of TLS 1.0 and 1.1 has begun in earnest. A number of GitHub users found that out the hard way over the weekend.
Though GitHub announced the decision to deprecate TLS 1.0 and 1.1 back on February 1st, many users didn’t get the message in time. GitHub’s original plan was to disable the deprecated algorithms for an hour on February 8th.
By disabling support for the deprecated algorithms for a small window, these systems will temporarily fail to connect to GitHub. We will then restore support for the deprecated algorithms and provide a two week grace period for these systems to upgrade their libraries…
Then, on the 22nd, a Friday, GitHub disabled them for good.
Here are the changes that went into effect on Friday:
- TLSv1/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https://github.com and https://api.github.com.
- diffie-hellman-group1-sha1: This applies to all SSH connections to github.com
- diffie-hellman-group14-sha1: This applies to all SSH connections to github.com
Though only a small number of users still rely on TLS 1.0 and 1.1, they are outmoded because of TLS 1.2, and the ever-looming TLS 1.3. Still, GitHub did anticipate some problems. Though, probably not as many as actually occurred.
There were a couple of breakdowns in GitHub’s deprecation of TLS 1.0 and 1.1.
When you make a change that could potentially affect a large swath of your user base, it’s usually a good idea to email them at least once about it, if not many times. That didn’t happen here. GitHub only posted on its engineering blog and Twitter.
Twitter is a great platform for interacting with customers and to some extent for marketing. It is not a good way to try to communicate major news about an upcoming change. And I’m going to go out on a limb here, but chances are if a site owner hasn’t upgraded his or her own SSL and SSH implementations from TLS 1.0 or 1.1—they probably aren’t following your engineering blog. I’d be willing to wager that if you drew a Venn diagram with site owners that are using outmoded algorithms in one circle and your blog’s readership in the other, there isn’t going to be much overlap.
Either way, the point is that the communication could have been better here.
This is largely entwined with the previous issue, but a lack of communication led to developers not responding in time and then creating hot-fixes pretty much overnight to respond to the myriad user issues that were raised.
Our System Applications specialist, Nick Perkins, has been following the fallout from the GitHub transition closely. Here’s his opinion:
While there’s faults on both sides (developers and GitHub’s) the biggest issue at hand is going to be industry adoption. This is going to raise concerns in other industries such as PCI, Healthcare, and other major sectors. Quite honestly, this is probably going to delay the forced adoption of TLS1.2 further because these industries are not going to want the above to occur and cost them millions if not billions.
It’s your turn, DigiCert
Yesterday, Tuesday June 27th, DigiCert sent a notification to its partners that stated as of April 1, 2018, DigiCert would be deprecating TLS 1.0 and 1.1.
At DigiCert, we are committed to using top-of-the-line encryption and to maintaining a strong cryptographic infrastructure. To prepare for the upcoming industry-wide disabling of TLS 1.0/1.1 and to maintain our PCI compliance, DigiCert will disable TLS 1.0/1.1 on April 1, 2018. DigiCert will only support TLS 1.2 and higher going forward.
This change only applies to the DigiCert website, accounts and services at a browser level. This will not affect Symantec CA customers (Symantec, RapidSSL, GeoTrust and Thawte) since DigiCert hasn’t completely migrated all of the Symantec CA systems yet.
This change also won’t affect end users, again it’s at the browser level. End users will not need to make any changes.
So far, DigiCert’s deprecation of TLS 1.0 and 1.1 is off to a much smoother start than GitHub’s. DigiCert is using email to communicate with its partners—a novel concept.
We’ll keep an eye on DigiCert’s deprecation of TLS 1.0 and 1.1 and update you accordingly.