{"id":5961,"date":"2018-02-28T14:00:54","date_gmt":"2018-02-28T19:00:54","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=5961"},"modified":"2020-08-25T11:51:25","modified_gmt":"2020-08-25T15:51:25","slug":"deprecation-tls-1-0-1-1-underway","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/deprecation-tls-1-0-1-1-underway\/","title":{"rendered":"The deprecation of TLS 1.0 and 1.1 is underway"},"content":{"rendered":"<h2>After GitHub had a rocky go of it, now it&#8217;s DigiCert&#8217;s turn&#8230;<\/h2>\n<p>The deprecation of TLS 1.0 and 1.1 has begun in earnest. A number of GitHub users found that out the hard way over the weekend.<span id=\"newline\"><\/span><\/p>\n<p>Though GitHub announced the decision to deprecate TLS 1.0 and 1.1 back on February 1<sup>st<\/sup>, many users didn\u2019t get the message in time. GitHub\u2019s original plan was to disable the deprecated algorithms for an hour on February 8<sup>th<\/sup>.<\/p>\n<blockquote><p>By disabling support for the deprecated algorithms for a small window, these systems will temporarily fail to connect to GitHub. We will then restore support for the deprecated algorithms and provide a two week grace period for these systems to upgrade their libraries\u2026<\/p><\/blockquote>\n<p>Then, on the 22<sup>nd<\/sup>, a Friday, GitHub disabled them for good.<\/p>\n<p>Here are the changes that went into effect on Friday:<\/p>\n<ul>\n<li>TLSv1\/TLSv1.1: This applies to all HTTPS connections, including web, API, and git connections to https:\/\/github.com and https:\/\/api.github.com.<\/li>\n<li>diffie-hellman-group1-sha1: This applies to all SSH connections to github.com<\/li>\n<li>diffie-hellman-group14-sha1: This applies to all SSH connections to github.com<\/li>\n<\/ul>\n<p>Though only a small number of users still rely on TLS 1.0 and 1.1, they are outmoded because of TLS 1.2, and the ever-looming <a href=\"https:\/\/www.thesslstore.com\/blog\/tls-1-3-everything-possibly-needed-know\/\">TLS 1.3<\/a>. Still, GitHub did anticipate some problems. Though, probably not as many as actually occurred.<\/p>\n<p>There were a couple of breakdowns in GitHub\u2019s deprecation of TLS 1.0 and 1.1.<\/p>\n<h2>Poor Communication<\/h2>\n<p>When you make a change that could potentially affect a large swath of your user base, it\u2019s usually a good idea to email them at least once about it, if not many times. That didn\u2019t happen here. GitHub only <a href=\"https:\/\/github.com\/fsprojects\/Paket\/pull\/3066\" rel=\"nofollow\">posted on its engineering blog<\/a> and Twitter.<\/p>\n<p>Twitter is a great platform for interacting with customers and to some extent for marketing. It is not a good way to try to communicate major news about an upcoming change. And I\u2019m going to go out on a limb here, but chances are if a site owner hasn\u2019t upgraded his or her own SSL and SSH implementations from TLS 1.0 or 1.1\u2014they probably aren\u2019t following your engineering blog. I\u2019d be willing to wager that if you drew a Venn diagram with site owners that are using outmoded algorithms in one circle and your blog\u2019s readership in the other, there isn\u2019t going to be much overlap.<\/p>\n<p>Either way, the point is that the communication could have been better here.<\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n<h2>Poor Planning<\/h2>\n<p>This is largely entwined with the previous issue, but a lack of communication led to developers not responding in time and then creating hot-fixes pretty much overnight to respond to the myriad user issues that were raised.<\/p>\n<p>Our System Applications specialist, Nick Perkins, has been following the fallout from the GitHub transition closely. Here\u2019s his opinion:<\/p>\n<blockquote><p>While there\u2019s faults on both sides (developers and GitHub\u2019s) the biggest issue at hand is going to be industry adoption. This is going to raise concerns in other industries such as PCI, Healthcare, and other major sectors. Quite honestly, this is probably going to delay the forced adoption of TLS1.2 further because these industries are not going to want the above to occur and cost them millions if not billions.<\/p><\/blockquote>\n<h2>It&#8217;s your turn, DigiCert<\/h2>\n<p>Yesterday, Tuesday June 27<sup>th<\/sup>, DigiCert sent a notification to its partners that stated as of April 1, 2018, DigiCert would be deprecating TLS 1.0 and 1.1.<\/p>\n<blockquote><p>At DigiCert, we are committed to using top-of-the-line encryption and to maintaining a strong cryptographic infrastructure. To prepare for the upcoming industry-wide disabling of TLS 1.0\/1.1 and to maintain our PCI compliance, DigiCert will disable TLS 1.0\/1.1 on April 1, 2018. DigiCert will only support TLS 1.2 and higher going forward.<\/p><\/blockquote>\n<p>This change only applies to the DigiCert website, accounts and services at a browser level. <strong>This will not affect Symantec CA customers<\/strong> (Symantec, RapidSSL, GeoTrust and Thawte) since DigiCert hasn\u2019t completely migrated all of the Symantec CA systems yet.<\/p>\n<p>This change also won\u2019t affect end users, again it\u2019s at the browser level. End users will not need to make any changes.<\/p>\n<p>So far, DigiCert\u2019s deprecation of TLS 1.0 and 1.1 is off to a much smoother start than GitHub\u2019s. DigiCert is using email to communicate with its partners\u2014a novel concept.<\/p>\n<p>We\u2019ll keep an eye on DigiCert\u2019s deprecation of TLS 1.0 and 1.1 and update you accordingly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After GitHub had a rocky go of it, now it&#8217;s DigiCert&#8217;s turn&#8230; The deprecation of TLS 1.0 and 1.1 has begun in earnest. A number of GitHub users found that&#8230;<\/p>\n","protected":false},"author":6,"featured_media":5962,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[161],"class_list":["post-5961","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-tls","post-with-tags"],"views":19785,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/iStock-619229716.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/5961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=5961"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/5961\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/5962"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=5961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=5961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=5961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}