AnsweredAssumed Answered

TLS1.0

Question asked by michael lane on Jul 11, 2018
Latest reply on Jul 23, 2018 by j-mailor

Like • Show 2 Likes2
Comment • 4

I am wondering why TLS1.0 is still acceptable? I am seeing site that are rated an A+ with TLS1.0 active. Even your own site states "TLS1.2" is the only secure protocol. May sites us opportunistic TLS, which allows fallback to TLS1.0.

NIST, PCI-DSS have definitely deprecated TLS1.0. Microsoft is throughout this year, and a laundry list of other industry leaders are as well.

Shouldn't it at least be a warning, or a B rating if TLS1.0 is an option?

Not an accusation - just a question as no one accepts this for PCI or HIPAA/government secret data any longer. OCR(Office of Civil Rights)

j-mailor Jul 23, 2018 4:28 AM

Correct Answer

Bhushan Lokhande, ssllabs.com developer, 20th July on Twitter: "Currently SSL Labs warns with orange text for TLS 1.0 Soon grade penalty will be applied."

See the reply in context

1 person had this question

Outcomes

Busby Jul 12, 2018 3:17 AM

I am curious on this as well, the policy I am working on is going to mandate TLS 1.1+ is only acceptable TLS 1.0 is not and if I see TLS 1.1 it will be a warning. Moving from TLS 1.0 to TLS 1.2 has been difficult with some applications but TLS 1.1 to TLS 1.2 in general has not had those challenges.

1 person found this helpful

Actions

Lily Wilson @ Busby on Jul 12, 2018 11:40 AM

if I see TLS 1.1 it will be a warning.

it'd probably be a good idea to warn for CBC in TLS 1.2 also, since the biggest problem with TLS 1.1 is that it doesn't support anything better than CBC.

1 person found this helpful

Actions

Busby Jul 12, 2018 11:51 AM

Good point I will check the code but first it will check the protocol support; then I have a set of separate test for ciphers and I think I have CBC related ciphers on the not accept list. In particular for stuff exposed to the internet. At least that is the proposal.

1 person found this helpful

Actions

j-mailor Jul 23, 2018 4:28 AM

Bhushan Lokhande, ssllabs.com developer, 20th July on Twitter: "Currently SSL Labs warns with orange text for TLS 1.0 Soon grade penalty will be applied."

Actions

4 Replies

Busby Jul 12, 2018 3:17 AM
Mark Correct
Correct Answer
I am curious on this as well, the policy I am working on is going to mandate TLS 1.1+ is only acceptable TLS 1.0 is not and if I see TLS 1.1 it will be a warning. Moving from TLS 1.0 to TLS 1.2 has been difficult with some applications but TLS 1.1 to TLS 1.2 in general has not had those challenges.
1 person found this helpful
Like • Show 2 Likes2
Actions
- Lily Wilson @ Busby on Jul 12, 2018 11:40 AM
  Mark Correct
  Correct Answer
  if I see TLS 1.1 it will be a warning.
  it'd probably be a good idea to warn for CBC in TLS 1.2 also, since the biggest problem with TLS 1.1 is that it doesn't support anything better than CBC.
  1 person found this helpful
  Like • Show 1 Like1
  Actions
Busby Jul 12, 2018 11:51 AM
Mark Correct
Correct Answer
Good point I will check the code but first it will check the protocol support; then I have a set of separate test for ciphers and I think I have CBC related ciphers on the not accept list. In particular for stuff exposed to the internet. At least that is the proposal.
1 person found this helpful
Like • Show 1 Like1
Actions
j-mailor Jul 23, 2018 4:28 AM
Unmark Correct
Correct Answer
Bhushan Lokhande, ssllabs.com developer, 20th July on Twitter: "Currently SSL Labs warns with orange text for TLS 1.0 Soon grade penalty will be applied."
Like • Show 0 Likes0
Actions

TLS1.0

Outcomes

Related Content

Recommended Content