Security News

That's why, despite TLS 1.3 being around since 2018 and offering greater security that TLS 1.2, the latter that remains the de facto standard. The TLS 1.2 protocol took multiple round trips between client and server, while TLS 1.3 is a much smoother process that requires only one trip.

TLS 1.0 is over two decades old, and TLS 1.1 was only meant to address some limitations in the former and prevent specific attacks. In October 2018, major browser makers announced that support for the old and insecure TLS 1.0 and 1.1 protocol versions would be removed in March 2020, but such plans have been postponed due to the current COVID-19 pandemic.

In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the ageing and insecure Transport Layer Security 1.0 and 1.1 protocols. While a temporary delay, it's still an unexpected retreat for an industry which had showed unity in collectively deciding to banish TLS 1.0 and the lesser used TLS 1.1 by early 2020.

Microsoft has blinked once again and delayed disabling TLS 1.0 and 1.1 by default in its browsers until the latter part of 2020. TLS 1.0 and TLS 1.1 will soon be disabled by default in all supported Microsoft browsers, starting with Microsoft Edge version 84.

Transport Layer Security is a common cybersecurity protocol that is frequently seen in email, web browsers, messaging, and other communication methods that take place over networks. TLS is relied upon to ensure secrecy using different techniques like encryption, hash functions, and digital signatures.

Nubeva Technologies, a cloud visibility SaaS software developer for enterprises with assets in public and private clouds and data centers, announced support for modern endpoint-based decryption. Nubeva TLS Decrypt, a software solution using symmetric key intercept technology, now allows organizations to offload decryption from proxy-based systems to allow full visibility with improved speed, performance and reduced cost.

With TLS 1.0 and TLS 1.1 considered vulnerable to various types of attacks, including BEAST, CRIME and POODLE, the Internet organization last month announced plans to disable them in its popular browser and allow only connections made using TLS 1.2 and TLS 1.3. An override button on the error page will provide users with the option to fallback to TLS 1.0 or TLS 1.1.

Let's Encrypt said it will give users of its Transport Layer Security certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization bug before it revokes them. The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software-discovered and patched this past Sunday-impacted the way its software checked domain ownership before issuing certificates.

The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.

Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."