TLS 1.3 is Around the Corner, Microsoft Seeks to Improve TLS 1.2 Support for Windows

July 20, 2017 | By John Britas

We are all set to accord a warm welcome to the next update of TLS (Transport Layer Security), TLS 1.3. But are we prepared to give full support to the latest version of this security protocol? We still work with legacy systems, software dependencies and many other almost obsolete support requirements. We know that there are still many systems and programs that haven’t been using even the previous version of TLS, TLS 1.2, which was released in 2008. It’s in this context that we need to discuss if we are indeed ready for TLS 1.3. It’s in this context that we need to discuss as to what Microsoft wants us to do as regards using the different versions of TLS. But, before that, let’s go for a brief introduction about what TLS is…

What is TLS?

To discuss TLS, we first need to answer the question- What is SSL? SSL (Secure Sockets Layer) is a standard security protocol which is used to establish encrypted links between web servers and web browsers. By using SSL technology, it’s ensured that all the communication that occurs between a web server and a web browser remains encrypted and hence totally private. Th SSL technology is an industry standard today and is used by websites to protect all communication/data transmitted online. TLS is just an enhancement to the pre-existing SSL protocol and has been designed to better protect data in motion. We could call TLS as just a stage in the evolution of the SSL protocol. The basic objective of the SSL/TLS technology is to ensure data encryption and data security.

As we get ready for TLS 1.3…

Microsoft thinks that protocol vulnerabilities (like POODLE), which affected SSL 3.0 and TLS 1.0 would pose an unacceptable risk to businesses and software that still depend on the older versions of TLS. Hence Microsoft seeks to improve TLS 1.2 support for Windows and thus you’d have to upgrade in case your OS doesn’t support TLS 1.2. Vista, Windows 7, and Server 2008 are the problem versions of Windows as regards supporting TLS 1.2. Anyway, Microsoft has announced that TLS 1.2 support will be provided for Windows Server 2008 later this summer, with a new patch.

A post titled ‘TLS 1.2 support at Microsoft‘ dated June 20, 2017, on the Microsoft Secure Blog says- “In support of our commitment to use best-in-class encryption, Microsoft’s engineering teams are continually upgrading our cryptographic infrastructure. A current area of focus for us is support for TLS 1.2, this involves not only removing the technical hurdles to deprecating older security protocols, but also minimizing the customer impact of these changes. To share our recent experiences in engaging with this work we are today announcing the publication of the “Solving the TLS 1.0 Problem” whitepaper to aid customers in removing dependencies on TLS 1.0/1.1. Microsoft is also working on new functionality to help you assess the impact to your own customers when making these changes.”

A section of the blog, with the sub-heading ‘What can I do today?’ explains what needs to be done. It says-

“Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:

  • Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
  • Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1.
  • Understanding which clients may be broken by disabling TLS 1.0/1.1….”

Microsoft has also published a whitepaper, titled ‘Solving the TLS 1.0 Problem‘, which would help anyone find if the software that’s being used has hardcoded preferences for TLS 1.0 or 1.1.

Get SSL Certificate

Posted in SSL,Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory