As we’ve explained in the past, SSL and TLS are cryptographic protocols that provide authentication and data encryption between different endpoints (e.g., a client connecting to a web server), with SSL the predecessor to TLS. Since SSL’s first iteration back in 1995, new versions of each protocol have been released to address vulnerabilities and support the strongest and most secure cipher suites and algorithms. We are currently on TLS 1.3, which was just approved by the IETF (Internet Engineering Task Force).
As a best practice, you should configure your servers to support the latest protocol versions to ensure you are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave you vulnerable to downgrade attacks, where hackers force connections to your server to use older versions of the protocols that have known exploits. This can leave your encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.
That said, it’s officially time to disable TLS 1.0 if you haven’t already (and SSL 2.0 and SSL 3.0...though you really should have disabled those a while ago).
Related: Need a refresher on the difference between SSL and TLS? Check out our explanation here.
What's Behind the Change?
Various vulnerabilities over the past few years (e.g., BEAST, POODLE, DROWN…we love a good acronym, don’t we?) have had industry experts recommending disabling all versions of SSL and TLS 1.0 for a while now, but this current initiative is being driven by PCI compliance. As of June 30, 2018, all websites will need to be on TLS 1.1 or higher in order to comply with the PCI Data Security Standard (DSS).
Check If Your Site Supports SSL and TLS 1.0 Protocols
If you’re not sure which protocols your site supports, you can use our free SSL Server Test. Navigate to the Protocols section of the results page; you’ll see a list of all the protocols and whether or not you currently have them enabled. The below example is a “good” bad example of how your site should be configured, since it still supports SSL 2.0, SSL 3.0, and TLS 1.0 and doesn’t support TLS 1.2.
Example protocol support results form GlobalSign's SSL Server Test
You can find more information about what versions of servers and clients support each protocol, along with instructions for disabling the old protocols on our support site.
Reminder: Certificates Are Not Dependent on Protocols
In case you’re worrying about how you’re going to replace your certificates before the upcoming PCI deadline in June, we want to remind everyone that certificates are not dependent on protocols. Protocols are determined by your server configuration, not the certificates. So fear not, you don’t have to rip and replace your entire certificate inventory to accommodate this change!
- Use our free server configuration test if you’re not sure which protocols you currently support
- You must disable support for SSLv2, SSLv3, and TLS 1.0 because they are outdated and vulnerable (and also to maintain PCI DSS compliance)
- You should disable TLS 1.1 if you can because there are known security vulnerabilities
- You should enable TLS 1.2 and 1.3
- Read our support article for instructions on how to change your server configuration and enable/disable the appropriate protocols
As for GlobalSign’s plans, we disabled SSL protocols a long time ago and will end support for TLS 1.0 and 1.1 for our web properties before June 21 to ensure PCI DSS compliance. We will continue to support 1.2, and are working on support for 1.3 now that it’s been approved by the IETF.