Introduction
Earlier this year, the Payment Card Industry (PCI) Standards Security Council (SSC) deprecated TLS version 1.0 in their Data Security Standard (DSS) [01]. As a result, starting the summer of 2018, all PCI-DSS-compliant e-commerce sites must no longer use this early, insecure version of TLS. This decision is similar to other moves to strengthen TLS – for instance, the National Institute of Standards and Technology (NIST) deprecated (since 2014) TLS 1.0 in their government guidelines [02], and together this has motivated several organizations to drop support for versions before 1.2 from their systems.
TLS is a highly technical subject. This article explains the reasons behind these decisions, and shows how deprecating older TLS versions is a step to a safer and better Internet.
Transport Layer Security (TLS)
TLS is a cryptographic protocol that protects data from being read or altered in transit, over a computer network. TLS is the successor to and builds on the foundation of the previous Secure Sockets Layer (SSL) protocol. Since 1999 [03], when it was published, TLS has been adopted by a surprisingly diverse and widespread array of applications and can be used in almost any application looking to protect the communication between two ends. (In tech talk, these are often called client and server.)
The most well-known use for TLS is to protect connections between browsers and HTTPS web sites (such as this article you are reading on SSL.com’s servers). It is also used by point-of-sale (POS) terminals communicating with their back-end servers (to protect credit card information) and by instant messaging applications, e-mail clients, voice-over IP (VoIP) software and many more.
Currently, there are four versions of TLS available:
- TLS 1.0 (released in 1999) was the first version and is now being deprecated.
- TLS 1.1 (released in 2006) was never adopted by the industry. It was largely skipped in favor of its successor 1.2.
- TLS 1.2 (released in 2008) is the most commonly used TLS version. Almost all services support TLS 1.2 as a default.
- TLS 1.3 (released in 2018) is an experimental version of the TLS protocol that offers more performance and security than older versions. Though still under research and not yet officially standardized [04], it should be noted that the industry is starting to implement support for its draft versions.
Modern vs early TLS
Vulnerabilities in the earliest TLS 1.0 protocol have concerned the cyber security community in the past few years, and such exploits as POODLE, CRIME and BEAST have had enough impact to even reach the mainstream media. However, TLS is constantly evolving to meet new threats; efforts to improve on the first version of TLS, conducted by the Internet Engineering Task Force (IETF) Network Working Group (NWG) have resulted in the better and more secure current standard, TLS 1.2.
TLS 1.2 uses modern cryptography and offers better performance and security than its predecessors. At the same time, it is not susceptible to any of the vulnerabilities mentioned above, which makes it an ideal choice for any application in secure communications. Most companies and organizations have upgraded their servers to support TLS 1.2.
However, not all client software can be upgraded to newer versions of TLS. For example, a news web site must be accessible by both modern and older browsers, simply because there are still readers that use them. This includes Android devices before version 5.0, Microsoft’s Internet Explorer before 11, Java programs before Java version 1.7, and even some remote payment terminals or monitoring equipment that are costly to upgrade. Moreover, compatibility with older configurations requires that even modern client software must be able to communicate with outdated servers as well.
According to SSL Pulse [05], a service which reports statistics on Alexa’s Top 500 sites TLS support, as of January 2018, 90.6% of the servers hosting monitored web sites supported TLS 1.0, while 85% supported TLS 1.1. Furthermore, almost all browsers (and many non-browser clients) still support older TLS versions. Thus, while TLS 1.2 is preferred, most clients and servers still support early TLS.
TLS security considerations
Since the majority of modern browsers and clients implement TLS 1.2, a non-technical user could think that they should be safe (and that those systems that have not been upgraded must have been accepted as business risks). Unfortunately, this is not true – just having support for earlier versions of TLS poses a security threat to users of even modern clients and servers.
TLS provides network security, and its primary goal is to prevent an attacker from reading or modifying data exchanged between nodes of a network. Therefore, it mitigates network attacks, such as Man-in-the-Middle (MITM) attacks [05]. A MITM attack exploits the fact that a computer network can be manipulated so that all nodes of a network send their traffic to the attacker instead of the expected router or other nodes. The attacker can then read or modify the intercepted content before relaying it to its intended target. TLS protects against MITM attacks by encrypting the data with a secret key that is only known to the original client and server. A MITM attacker without knowledge of this secret key cannot read or tamper with the encrypted data.
However, TLS versions between clients and servers must match, and since they often support multiple TLS versions, they negotiate which version to use through a protocol called a handshake. In this handshake, the client sends an initial message, stating the highest TLS version it supports. The server then responds with the chosen TLS version, or an error if no common version is found. Keep in mind that the handshake messages are exchanged unencrypted, because this information is used to configure the secure data channel.
Downgrade attacks
The attentive reader may already suspect that, since the handshake is not encrypted, an attacker performing a MITM attack could see and modify the requested TLS version to an earlier, vulnerable one like TLS 1.0. They could then proceed to utilize any of the aforementioned TLS 1.0 vulnerabilities (like POODLE or CRIME) to compromise the connection.
In software security, attacks that force victims to use older, more vulnerable versions of software are called downgrade attacks. Attackers exploiting any protocol vulnerability essentially have the same goal: compromise network security and gain access to exchanged data. The technical nuances of these vulnerabilities are not relevant to the deprecation of TLS 1.0 (and providing details on such attacks is beyond the scope of this article), but the author would like to emphasize that there are publicly available tools allowing even non-technical attackers to perform downgrade attacks. Imagine using your up-to-date mobile phone to read your mail before flying at the airport, or when checking your balance in an online banking application at a cafe. A prepared attacker with these tools can intercept or even tamper with your information, if your phone’s browser or your banking application allows connections using older versions of TLS.
In effect, as long as servers and clients in your network connection support older TLS versions they (and you) are vulnerable.
Am I affected?
To mitigate this risk, PCI SSC and NIST have deprecated TLS 1.0 in systems compliant with their standards. While TLS 1.1 is not vulnerable to all the discovered vulnerabilities, it was never really adopted in the market, and many companies and organizations have recently dropped support for TLS 1.1 as well. Again, looking at SSL Pulse data, as of July of 2018, following the deprecation of TLS 1.0, only 76.6% of the monitored web sites still support TLS 1.0 and only 80.6% support TLS 1.1. That means that the changes introduced in these standards have had an effect, and about 16,000 major sites have dropped all support for early TLS versions.
Downgrade attacks apply to both clients and servers. Concerned readers can use ssltest, a publicly-available toolkit that can check their software for these vulnerabilities, with a browser tool [07] and Web Server tool [08], which can be used free of charge.
If your servers still support vulnerable TLS versions, please watch for SSL.com’s upcoming guide to configuring web servers for compliance with most secure standards.
Digital certificates issued by SSL.com work with all versions of TLS, so no action is required.
Conclusion
TLS offers security and privacy to Internet users. Over the years, researchers have discovered significant protocol vulnerabilities, which has motivated most companies to upgrade their systems to use more modern TLS versions. In spite of the demonstrated security concerns, however, support for older clients remains a business requirement. Hopefully, PCI SSC and NIST, along with other organizations that have chosen to deprecate early TLS, will inspire others to join them and SSL.com in promoting a safer, better and more secure internet.