Announcement: Ending Support for TLS 1.1

Follow

Uberflip services will no longer support TLS 1.1 starting on May 20, 2020. Learn why we're doing this, and how it affects you.


 

What's changing?

On May 20, 2020, Uberflip will end support for Transport Layer Security (TLS) version 1.1 to align with industry best practices for security. Starting on this date, we will require TLS 1.2 or higher to connect to Uberflip services, including:

At the same time, we will also modify our list of enabled cipher suites (encryption algorithms) for TLS connections to remove cipher suites known to be weak, and add a number of more secure options (see the Technical Information section below for details).

Most Uberflip customers and visitors to their Hubs should not be affected by these changes in any noticeable way. All modern browsers and other applicable software that are currently in use already support at least TLS 1.2 and the new cipher suites. This change will impact only obsolete/legacy browsers that are no longer widely used (see here for details about who is affected).

 

What is TLS?

TLS, or Transport Layer Security, is a protocol that allows data to be securely exchanged over the internet. (You may also be familiar with the term "SSL", which is sometimes used to refer to TLS). TLS is the technology that encrypts HTTPS communications, and is used by the majority of websites and internet services to keep data safe.

There are currently four versions of TLS: 1.0, 1.1, 1.2, and 1.3. Using the latest version is preferred, as it is generally the most secure. However, to allow for backwards compatibility with old browsers that can't use newer TLS versions, many servers still support older versions as well. That is now changing, and most websites are dropping support for old TLS versions — including Uberflip.

 

Why is Uberflip making this change?

The oldest versions of TLS (1.0 and 1.1) have known security flaws. The problem is that supporting these old versions for backwards compatibility leaves all browsers vulnerable to their flaws — including modern browsers that can use the newest, most secure version of TLS.

Attackers can exploit vulnerable versions of TLS only when a server supports those versions. This is why Uberflip previously dropped support for TLS 1.0, and why we are dropping support for TLS 1.1 now: by taking this action, we are effectively closing the door on attacks that exploit vulnerable TLS versions, making our systems more secure for our customers and their users. For the same reason, we're also taking this opportunity to upgrade the types of encryption algorithms we use with TLS.

Uberflip is not alone in making this change: the Internet Engineering Task Force (IETF) has announced that they intend to formally deprecate TLS 1.0 and 1.1, and this has sent a strong signal to the internet that it's time to stop using these antiquated versions. As a result, a large number of websites and other web services are removing support for TLS 1.0 and 1.1 on their systems, incuding GitHub, Slack, Cloudflare, Microsoft Office 365, and others.

 

Will I or my visitors be affected by this change?

The vast majority of our customers, and visitors to customer Hubs, will not be affected by this change. All recent versions of the major browsers (both desktop and mobile) support at least TLS 1.2, and in most cases support TLS 1.3 as well. Users of these browsers typically receive automatic updates, so most are already using a version that is unaffected by this change. For more information about the browsers that work with Uberflip, see this article.

It is also important to note that Uberflip servers already did not support TLS 1.0 connections, so this change only affects software with a highest supported TLS version of 1.1. TLS 1.1 was never widely adopted, as most browsers bypassed it entirely and went straight from 1.0 to 1.2. For reference:

  • Three years ago (2017), Cloudflare found that only 0.38% of browsers were still using TLS 1.1
  • As of May 1, 2020, Google's Chrome usage data showed that TLS 1.0 and 1.1 combined were used for only 0.18% of page loads in Chrome (by far the most widely used browser)

 As a result, we expect that only a very small number of users will be affected by this change.

 

Who is affected?

We have been able to identify only one affected browser version that still has active users: Internet Explorer 11 on versions of Windows older than Windows 10. While Internet Explorer 11 has support for TLS 1.2 by default, it is not able to use any of the new cipher suites that Uberflip will support when used on Windows 7/8/8.1. This limitation also applies to versions of Windows Server earlier than Windows Server 2016.

If you are using Internet Explorer 11 on Windows 7, 8, or 8.1 you must take action to continue using Uberflip services on or after May 20. You have the following options:

  • Upgrade to Windows 10 and the Microsoft Edge browser
    • You can also use Internet Explorer 11 on Windows 10, but we recommend upgrading to Edge if possible, as Internet Explorer 11 is now considered a legacy browser
  • If you are not able to upgrade to Windows 10, switch to the most recent version of another browser, e.g. Google Chrome or Mozilla Firefox

 

Technical Information

Below is more detailed information about the cipher suites that Uberflip is retiring, and the cipher suites that will be in use going forward. This change will take effect at the same time as the deprecation of TLS 1.1 on May 20, 2020.

The reason for this change is that the cipher suites being retired do not support ephemeral keys/ perfect forward secrecy, and are therefore vulnerable to attacks that target the cipher suite specifically (e.g. ROBOT). For this reason, these cipher suites are generally considered "weak" by tools that assess web security (such as the widely used Qualys SSL Server Test) and should no longer be supported.

Retired Cipher Suites

The following cipher suites were enabled previously, but will no longer be used as of May 20, 2020:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA

New Cipher Suites

The following cipher suites are enabled as of May 20, 2020 (listed in order of priority):

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Info

Internet Explorer 11 can only use these cipher suites in Windows 10 (and up) — they are unsupported in Windows 7/8/8.1, as well as in Windows Server 2008/2008 R2/2012/2012 R2. For more information on TLS cipher suite support in Windows operating systems, see this article from Microsoft.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.