Security News

Having issued an all-too-brief stay of execution on the decidedly whiffy Transport Layer Security 1.0 and 1.1 protocols in Microsoft 365, the Windows giant has announced that deprecation enforcement will kick off again from 15 October. The protocols were actually deprecated back in 2018 but Microsoft halted enforcement earlier this year, recognising that IT departments had quite a bit of unexpected work on their hands thanks to the COVID-19 pandemic.

As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2 is going smoothly and where it is meeting resistance. Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS certificates. Currently, SSL/TLS certificates have a maximum lifespan of 825 days in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Frost & Sullivan recognizes DigiCert with the 2020 Global Company of the Year Award, based on its recent analysis of the global TLS certificate market. "Leveraging its superior technology, customizing it to regional markets and building a best-in-class customer support system, DigiCert has captured the business of 89% of the Fortune 500 companies and the world's most recognized brands," said Swetha Krishnamoorthi, Industry Analyst at Frost & Sullivan.

TLS 1.3: Slow adoption of stronger web encryption is empowering the bad guysTLS provides secure communication between web browsers, end-user facing applications and servers by encrypting the transmitted information, preventing eavesdropping or tampering attacks. Actively exploited MS Exchange flaw present on 80% of exposed serversAttackers aiming to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don't have to look hard to find a server they can attack.

That's why, despite TLS 1.3 being around since 2018 and offering greater security that TLS 1.2, the latter that remains the de facto standard. The TLS 1.2 protocol took multiple round trips between client and server, while TLS 1.3 is a much smoother process that requires only one trip.

TLS 1.0 is over two decades old, and TLS 1.1 was only meant to address some limitations in the former and prevent specific attacks. In October 2018, major browser makers announced that support for the old and insecure TLS 1.0 and 1.1 protocol versions would be removed in March 2020, but such plans have been postponed due to the current COVID-19 pandemic.

In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the ageing and insecure Transport Layer Security 1.0 and 1.1 protocols. While a temporary delay, it's still an unexpected retreat for an industry which had showed unity in collectively deciding to banish TLS 1.0 and the lesser used TLS 1.1 by early 2020.

Microsoft has blinked once again and delayed disabling TLS 1.0 and 1.1 by default in its browsers until the latter part of 2020. TLS 1.0 and TLS 1.1 will soon be disabled by default in all supported Microsoft browsers, starting with Microsoft Edge version 84.

Transport Layer Security is a common cybersecurity protocol that is frequently seen in email, web browsers, messaging, and other communication methods that take place over networks. TLS is relied upon to ensure secrecy using different techniques like encryption, hash functions, and digital signatures.