CDN security
12 Jul 2018

TLS 1.0 – What is it, and why are we deprecating it?

At CDNsun, providing an efficient, reliable and cost-effective service is our primary purpose. Our platform delivers not only superior performance but also provides enterprise-grade security, assuring you and protecting your solutions from online threats. As we continuously strive to provide you with the fastest and most secure CDN possible, we will be deprecating TLS 1.0 on July 19, 2018, to reinforce the security of our platform.

What is TLS 1.0?

To understand why we need to deprecate TLS 1.0, we first need to give a brief overview of what it is, and why it is no longer secure. As you know, the HTTP protocol is what makes the modern Internet possible and spawned the World Wide Web back in the mid 90’s. HTTP is an unencrypted protocol which means data transmitted between the site and your computer can be intercepted and viewed by a third-party. As monetary transactions moved online, encryption was necessary to protect the data being transmitted over the Internet, and Secure Sockets Layer (SSL) was created to fulfill this purpose. Not only did SSL encrypt the traffic, it also provided data integrity and authentication needed for online security.

Over time vulnerabilities were found in SSL which allowed an attacker to intercept encrypted messages and decrypt them due to a flaw in the implementation of the SSL protocol. To mitigate this risk, Transport Layer Security (TLS) was released in 1999 which was created to replace SSL. However, SSL was already a standard and well embedded in solutions across the Internet, and even though vulnerabilities theoretically existed, SSL remained the mainstream Internet encryption standard.

However, in the past couple of years, the disclosure of the Beast, Heartbleed, and Poodle vulnerabilities, amongst others, have created the catalyst needed to move off SSL and onto TLS. As no one had ever even considered these exploits being discovered, browsers and servers had not kept up with TLS support which meant that the industry was not ready to deal with these vulnerabilities.

To smooth the transition from SSL to TLS, TLS 1.0 started being implemented on web platforms, and browsers started supporting it. However, there was a problem with the way TLS 1.0 was implemented. TLS 1.0 worked with the older versions of SSL to provide the needed backward compatibility which made it susceptible to the same vulnerabilities which affected the older protocol.

TLS currently features three different versions, TLS 1.0, TLS 1.1, and TLS 1.2. TLS 1.0 has backward compatibility to SSL which makes it insecure, and TLS 1.1 has no known vulnerabilities but does share support for the same inferior cryptography. TLS 1.2 is the current secure standard.

Why we need to deprecate TLS 1.0

Supporting TLS 1.0 does not conform to good security practices but due to the entrenchment of SSL across the Internet, TLS 1.0 still needed to be supported. Most modern browsers support TLS 1.2, but on the server side TLS 1.0 and TLS 1.1 still make up the majority of HTTPS-enabled websites.

The prevalence of TLS 1.0 and 1.1 on the internet is a security risk. As servers primarily implement these encryption protocols but modern browsers support TLS 1.2, this places users at risk due to the downgraded security their browsers are forced to deal with when encountering a TLS 1.0 site. To illustrate this concept, take the example of a user with a modern browser visiting a site which has implemented TLS 1.0. The user’s browser downgrades the service to TLS 1.0 to ensure the user can access the site. If a known SSL exploit has targeted the user or site, the user faces the risk of having their security compromised. This example clearly shows continued support for TLS 1.0 has no practical user benefit. Users are already security compliant by being on the latest software version, but their online safety is at risk due to the implementation of a poor encryption standard.

Due to the inherent risks in TLS 1.0, several certifying organizations have released statements declaring that SSL and early TLS implementations needed to be deprecated.

In 2014, the National Institute of Standards and Technology (NIST) stated that SSL and TLS 1.0 were unsafe encryption standards, and recommended that servers and clients move to TLS 1.2 due to the Internet Engineering Task Force finding vulnerabilities in TLS 1.0. It is, however, the declaration by the Payment Card Industry (PCI), stating that sites which were running TLS 1.0 would no longer be certified PCI compliant, that finally forced the change the industry needed.

The PCI DSS is the global data security standard for the payment card industry and specifies security standards for any entity which processes, stores or transmits cardholder data. If a site is deemed to be non-PCI compliant, it is not allowed to handle credit card data in any way. The PCI originally stated that June 30, 2016, would be the date all sites needed to have migrated off TLS 1.0, but extended this deadline to June 30, 2018. If a site is running an implementation of TLS 1.0 today, it is not PCI compliant.

Many sites have already moved off TLS 1.0, to not only comply with the new PCI standard, but to protect the users who visit these sites from being compromised. We at CDNsun take security seriously, and as a service provider which stores customer data on our delivery platform, we too need to ensure our service provides the enhanced security the later versions of TLS have to offer. Our CDN with SSL support gives us the ability to accelerate customer content over HTTPS, using a shared SSL certificate which we provide free of charge. To ensure our platform and our customers are PCI compliant, and visitors to their sites secure, we will be deprecating support for TLS 1.0 on July 19, 2018.

If you have any further questions then please contact our support and we will be glad to help.