TLS is a communications protocol that helps to encrypt data transporting between the client and the application server. If there is a public-facing application or website, there is a high possibility that some version of the TLS protocol is in play. Multiple TLS protocol versions have been released in the past, with each version being incrementally secure than its predecessor. TLS 1.3 is the latest version in the TLS family and offers maximum security.
About a week ago, the IETF officially approved the Best Current Practice RFC8996. The RFC officially deprecates the older TLS1.0 and TLS1.1 from the list of SSL/TLS protocols, due to, as the abstract rightly states:
“These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance. “
For most organizations that are not already mandated to use TLS1.2 or above, the impact of this change is advisory. It is now a best practice to move to TLS1.2 or TLS1.3 to ensure maximum security for transactions using your web, mobile or API-based applications.
Onward to the fluff.
The draft for the RFC was imaginatively titled – draft-moriarty-tls-oldversions-diediedie. We approve.
- Nearly 92% of all the traffic was HTTPS
- Nearly 65% of the HTTPS traffic was TLS1.3
- About 30% of all HTTPS traffic was TLS1.2
- Around 5% or lower of HTTPS traffic was using TLS1.1 or lower
A rather rosy state of secure transmissions for our customers!
The interesting part of this data (aside from our original expectation of much lower TLS1.3 numbers,) is that most modern browsers support and prefer TLS1.3, and this change to using it has not been very difficult. It’s almost been seamless, compared to some doomsayers a while ago. Even bots seem to prefer TLS1.2 over the older versions, mainly because the underlying OS supports it. Automatic browser updates are a force for good.
The one stumbling block for this change however typically the actual application. Whether it is older applications that cannot go beyond SSLv3.0 or applications the depend on older OS versions that do not support the latest TLS versions, these applications typically go under-secured due to the time and effort required to upgrade them. This is not a massive problem to overcome if you use the Barracuda WAF-as-a-Service. Any application can be onboarded and protected by the WAF-as-a-Service in a matter of minutes. The best part of this protection is that the WAF-as-a-Service then provides a secure HTTPS frontend for the application, communicating with browsers and apps with the latest secure TLS versions. It then translates this to the older version that is used by your application and passes the traffic to the backend in a way that the backend understands. It even automates the certificate creation process by integrating with Let’s Encrypt for free HTTPS certificates. By doing this, the WaaS takes away a lot of the complexity and replaces it with security.
Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda. Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation. Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.