The deprecation of TLS 1.0 and 1.1 is underway
After GitHub had a rocky go of it, now it’s DigiCert’s turn…
The deprecation of TLS 1.0 and 1.1 has begun in earnest. A number of GitHub users found that out the hard way over the weekend.
Though GitHub announced the decision to deprecate TLS 1.0 and 1.1 back on February 1st, many users didn’t get the message in time. GitHub’s original plan was to disable the deprecated algorithms for an hour on February 8th.
By disabling support for the deprecated algorithms for a small window, these systems will temporarily fail to connect to GitHub. We will then restore support for the deprecated algorithms and provide a two week grace period for these systems to upgrade their libraries…
Then, on the 22nd, a Friday, GitHub disabled them for good.
Here are the changes that went into effect on Friday:
- TLSv1/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https://github.com and https://api.github.com.
- diffie-hellman-group1-sha1: This applies to all SSH connections to github.com
- diffie-hellman-group14-sha1: This applies to all SSH connections to github.com
Though only a small number of users still rely on TLS 1.0 and 1.1, they are outmoded because of TLS 1.2, and the ever-looming TLS 1.3. Still, GitHub did anticipate some problems. Though, probably not as many as actually occurred.
There were a couple of breakdowns in GitHub’s deprecation of TLS 1.0 and 1.1.
Poor Communication
When you make a change that could potentially affect a large swath of your user base, it’s usually a good idea to email them at least once about it, if not many times. That didn’t happen here. GitHub only posted on its engineering blog and Twitter.
Twitter is a great platform for interacting with customers and to some extent for marketing. It is not a good way to try to communicate major news about an upcoming change. And I’m going to go out on a limb here, but chances are if a site owner hasn’t upgraded his or her own SSL and SSH implementations from TLS 1.0 or 1.1—they probably aren’t following your engineering blog. I’d be willing to wager that if you drew a Venn diagram with site owners that are using outmoded algorithms in one circle and your blog’s readership in the other, there isn’t going to be much overlap.
Either way, the point is that the communication could have been better here.
Poor Planning
This is largely entwined with the previous issue, but a lack of communication led to developers not responding in time and then creating hot-fixes pretty much overnight to respond to the myriad user issues that were raised.
Our System Applications specialist, Nick Perkins, has been following the fallout from the GitHub transition closely. Here’s his opinion:
While there’s faults on both sides (developers and GitHub’s) the biggest issue at hand is going to be industry adoption. This is going to raise concerns in other industries such as PCI, Healthcare, and other major sectors. Quite honestly, this is probably going to delay the forced adoption of TLS1.2 further because these industries are not going to want the above to occur and cost them millions if not billions.
It’s your turn, DigiCert
Yesterday, Tuesday June 27th, DigiCert sent a notification to its partners that stated as of April 1, 2018, DigiCert would be deprecating TLS 1.0 and 1.1.
At DigiCert, we are committed to using top-of-the-line encryption and to maintaining a strong cryptographic infrastructure. To prepare for the upcoming industry-wide disabling of TLS 1.0/1.1 and to maintain our PCI compliance, DigiCert will disable TLS 1.0/1.1 on April 1, 2018. DigiCert will only support TLS 1.2 and higher going forward.
This change only applies to the DigiCert website, accounts and services at a browser level. This will not affect Symantec CA customers (Symantec, RapidSSL, GeoTrust and Thawte) since DigiCert hasn’t completely migrated all of the Symantec CA systems yet.
This change also won’t affect end users, again it’s at the browser level. End users will not need to make any changes.
So far, DigiCert’s deprecation of TLS 1.0 and 1.1 is off to a much smoother start than GitHub’s. DigiCert is using email to communicate with its partners—a novel concept.
We’ll keep an eye on DigiCert’s deprecation of TLS 1.0 and 1.1 and update you accordingly.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown