On October 31st 2018, Microsoft will be switching off TLS 1.0 and 1.1 for their Office 365 services.
If you don’t have Office 365 services you won’t be affected by this, but I would still advise migrating away from the older specifications of TLS where possible. If you do have Office 365, prepare for the change!
What is TLS?
Let’s start from the beginning. Before there was TLS, there was SSL (Secure Socket Layer) and before that there was no real encryption standard used en-mass. SSL became part of a wider ranging protocol known as TLS (Transport Layer Security). TLS is effectively a layer of security that sits on top an existing transport protocol – for example HTTP. Adding TLS to HTTP, it becomes HTTPS – but the HTTP protocol remains the same. By adding TLS to a transport protocol, if a third party intercepts the data, they can see the source and destination IP addresses (and ports), but crucially not the data/payload itself e.g. HTTP traffic.
One fit for all
Currently there are three complete specifications (versions) of TLS – 1.0, 1.1 and 1.2 (1.3 is still draft and incomplete). TLS 1.0 and 1.1 (along with SSL) are now known to have critical vulnerabilities in them that could allow a third party to intercept encrypted data. This poses a security risk. As the current specification TLS 1.2 is less compromised, it is the preferred specification to use. Because of this, Microsoft is keen to stop using TLS 1.0 and 1.1 in Office 365.
What’s the problem?
Well let’s all just use TLS 1.2, but before we need to prepare... Microsoft has put together a handly articledetailing what clients/software might be impacted when it only uses TLS 1.2 in Office 365. Let’s list it down:
Android 4.3 and earlier versions – Android 4.3 came out in 2013. Most companies I’ve worked at look to replace their mobile devices every couple of years, so I don’t see this being a massive issue for most. If your users are using Android 4.3 or earlier, now may be a great time to force a device refresh.
Firefox version 5.0 and earlier versions – Firefox 5.0 was released in 2011, so I don’t expect many users to still be using such an old browser. If your users are, it might be time to push out a newer version. For what it’s worth, I believe version 27.0 was the first to have TLS 1.2 support, not 5.0.
Internet Explorer 8-10 on Windows 7 and earlier versions:
IE8 is unsupported on all platforms.
IE9 is unsupported on all platforms.
IE10 is not supported on Windows 7 or earlier (supported on Windows 8).
What they don’t tell you is, these are the default settings. You can still enable TLS 1.1 and 1.2 on Windows 7 for use in IE 8-10. If you install IE 11 on Windows 7, it even enables TLS 1.1 and 1.2 for you, so not an OS limitation.
Internet Explorer 10 on Win Phone 8.0 – It looks like you would need to upgrade your phone to Windows Phone 8.1 to be supported. Much like the version of Android mentioned, its quite a few years old at this stage, I can’t see many users having a mobile device this old.
Safari 6.0.4/OS X10.8.4 and earlier versions – Safari 6.0.4 and OS X 10.8.4 released in 2013, so again, I suspect there is minimal impact here, but worth mentioning – time to upgrade!
Also mentioned in the article is some builds of Windows 7 using WinHTTP. If an application or service relies on WinHTTP to function (e.g. Outlook), you may need to update your preferences to make TLS 1.2 the default protocol for WinHTTP. Details on how to patch it are here. (You either need to apply a registry key or run install a Windows Update).
What’s not mentioned?
Other Browsers and OS combinations
Microsoft has listed some affected browsers but it misses the most used browser in the world – Google Chrome! Using the massive table on SSL/TLS support in browsers from Wikipedia and other information, I’ve put a little table together outlining the minimum versions needed for TLS 1.2. Note: I have not tested all the following combinations, so I would use this as a reference rather than relying on this information.
* Although disabled, TLS 1.2 support can be enabled under settings.
Whilst not mentioned above, the general rule of thumb for the server versions are:
Windows Server 2008 and 2008 R2 = Windows 7
Windows Server 2012 = Windows 8
Windows Server 2012 R2 = Windows 8.1
Windows Server 2016 = Windows 10
Lync Phone Edition
Lync Phone Edition does not support TLS 1.2. Microsoft have officially announced that Lync Phone Edition will no longer be supported come October 31st. Time to upgrade.
So now what?
Ensure TLS 1.2 is negotiated in the browser
If you are using Office 365, ensure all your clients, browsers, phones etc. are updated to support TLS 1.2 before October 31st 2018.
Lync Phone Edition might not work come October 31st 2018.
If using Windows 7 you can still use TLS 1.2, but you need to make sure it has KB3140245 applied to allow WinHTTP to use TLS 1.2 (in my case I had to apply the “Easy Fix”). If using IE 8-10, you also need to enable TLS 1.2 in the settings. Ideally you should be looking to migrate to Windows 10 though!
If you want to disable TLS 1.0 or 1.1, using Network Monitor we can check applications or services aren’t using them before we disable them.
Of course as always for any more information or assitance,