What is TLS and why does it matter to Apple (and you)?
No matter what platform you run your business on, if you have any old connected enterprise infrastructure around you’d better replace it fast, because Apple and every other Internet giant just declared a key protocol that kit may rely on EOL.
A Transport Layer Security primer
In a coordinated announcement, Apple, Google,Microsoft and Mozilla revealed plans to deprecate use of Transport Layer Security (TLS) 1.0 and 1.1 by early 2020. TLS is a critical security protocol that protects data when it moves between clients and servers – it’s one of the systems that protects passwords and other sensitive information and is used in to securedata over HTTPS, FTPS, SMTP, and so on.
Because it is so important, TLS has come in for deep scrutiny by security researchers and flaws have been identified, exploited and patched. Now the big tech firms are warning application developers of all kinds to stop using TLS 1.0 and 1.1, pointing out that doing so removes insecure SHA-1 and MD5 hash functions during authentication and helps make systems less vulnerable to various attacks.
In a note on the WebKit blog, Apple’s Christopher Wood revealed that just 0.36% of connections still use TLS 1.0 or TLS 1.1, with 99.6% using the far more modern TLS 1.2.
SSL Labs estimates 94 percent of websites already support the more recent iteration of the standard. The latest (1.3) version of the standard was recently finalized and will be more widely deployed by the time the older versions are deprecated.
“If you own or operate a web server that does not support TLS 1.2 or newer, please upgrade now. If you use legacy services or devices that cannot be upgraded, please let us know,” the Apple note ends.
There’s a highly technical guide to the differences between TLS 1.1 and 1.2 here.
What this means
This won’t mean too much to most Apple users. Most of the sites and services we use already run more recent versions of the standard, and Apple’s move to remove support from those that don’t from its browser means we probably won’t be able to access those insecure services in future anyway.
It means much more to website operators, and could be a very big deal to any enterprise using equipment that supports those protocols, particularly any older industrial equipment equipped with an embedded (and non-upgradeable) server of some kind.
Such systems will be vulnerable to what’s called “downgrade attacks”, in which “hackers force connections to your server to use older versions of the protocols that have known exploits.” (GlobalSign).
[amazon_link asins=’0871404028′ template=’ProductCarousel’ store=’9to5ma-20′ marketplace=’US’ link_id=’72543bbd-d211-11e8-b3d0-7bc7ffe7aa48′]
This could leave those systems vulnerable to man-in-the-middle and other forms of attack.
CIOs may need to engage in a security audit across all their connected systems in order to assess the risk – if forgotten, these are precisely the kind of attack vectors miscreants search for when probing for vulnerabilities in company networks, particularly when attempting to penetrate systems with some form of APT (Advanced Persistent Threat).
Apple’s move to abandon support for old versions of Transport Layer Security is good news for users, but may leave old connected systems more visible and vulnerable to attack. But for most internet users the move to deprecated older versions of TLS should make them — and their data — a little more secure.