Microsoft’s editor of the Windows release health page must be a fan of The West Wing, because they decided to take out the trash on the Friday night before Labor Day: future versions of Windows, both client and server, will no longer enable support for TLS 1.0 and 1.1.
Personally, I disagree with them: not for disabling older TLS version, but for burying the lead. This should be a celebrated moment, not relegated to a throwaway website update. The older versions of TLS have well-known vulnerabilities, and there’s no good reason to have been using them for years, given the maturity and wide support of TLS 1.2.
As discussed in this SANS Internet Storm Center blog post from March 2021, nearly half of the web servers scanned by Internet intelligence platform Shodan supported TLS 1.0 and 1.1. And the major browsers — Microsoft’s Chromium-based Edge, included — stopped enabling support in 2020, though Mozilla noted a small six-month delay in their rollout to soften the blow. There’s been plenty of time for software vendors and website owners to update their code and configurations. If you insist on using TLS 1.0 and 1.1, you’ll have to go out of your way to enable it.
The tech industry had to deal with a similar issue in the late 2010s. Microsoft implemented Server Message Block (SMB) version 1 in early versions of Windows, well before the days of encryption and host-based firewalls — in other words, SMBv1 wasn’t really secure. But it wasn’t until 2013 that Microsoft deprecated their version of the protocol, and 2017 that they stopped enabling it in Windows.
Most corporate environments eliminated SMBv1 as a result of hardware refresh cycles, but the vast wasteland of old consumer and small business devices, especially network-attached storage (NAS) solutions, remains largely vulnerable. By making SMBv1 unsupported out-of-the-box, users are discouraged from continuing to run insecure protocols. Set the technical bar high enough, and these unsupported devices are relegated to the safest place possible: the trash can.
Following a similar path with TLS 1.0 and 1.1 is a smart idea. Devices that can’t be firmware-upgraded to support TLS 1.2 at a minimum and disabled for TLS 1.1 and below are probably no longer supported by their manufacturer. Ask yourself: if the device is that old, and it’s vulnerable to TLS attacks, what other vulnerabilities exist? Pretty much any annual cybersecurity report will tell you that most breaches and attacks are the result of old, unpatched systems.
Celebrating the success of TLS 1.2 and the demise of 1.1 and 1.0 is just the start, though. TLS 1.3, as written about in a SANS Internet Storm Center blog post in September 2021, has been steadily gaining ground. Operating systems and browsers have been adding TLS 1.3 support in recent years, helping to drive adoption. And on the service provider side, we’re seeing growing enablement of TLS 1.3 alongside TLS 1.2. It’s the natural evolution of security, and we should expect TLS 1.2 to one day be sunset, whether it’s for future vulnerabilities, or just because it’s more secure.
Technology vendors and developers are doing a better job recognizing their role in cybersecurity risk, but that work must continue. Removing zombie standards and protocols from hardware and software isn’t easy, but it’s the responsible thing to do, short of ending support for products and systems. Raising the bar to TLS 1.2 in future versions of Windows will go a long way towards cleaning up the tech ecosystem, both in the home and in the datacenter.