Tag Archive for: Internet Engineering Task Force

IETF officially deprecates TLS 1.0 and TLS 1.1

What do you need to know? 

The Internet Engineering Task Force (IETF) has determined that TLSv1.0 and TLSv1.1 are not secure and should no longer be used. Based on these findings, Twilio is deprecating support of TLSv1.0 and TLSv1.1. Accounts using these deprecated versions of TLS that have not enabled the “Allow Deprecated SIP/TLS Versions” setting (explained below) will experience failures placing or receiving SIP/Trunking calls, or registering SIP endpoints.

For security reasons, the Internet Engineering Task Force has officially retired the TLS 1.0 and TLS 1.1 encryption protocols after discovering several attacks in recent years that compromised encrypted Internet communications that rely on both protocols. The IETF now recommends that all companies, government agencies or software developers use the two latest versions of the TLS standard – TLS 1.2 and TLS 1.3, both of which are considered secure.

The formal deprecation process for both protocols began at the same time, in June 2018, and was driven by the IETF and software vendors (including all major browser makers). The driving force behind the deprecation process was the large number of attacks discovered over the past few years that broke the encryption algorithms underlying both protocols.

This includes attacks like BEAST, POODLE, ROBOT, SWEET 32, LUCKY 13, and more, all of which show how attackers can exploit weaknesses in SSL and TLS 1.0/1.1 to compromise encrypted communications and target organizations. The recommended actions to fix all of these vulnerabilities are the same – organizations are urged to use newer versions of TLS that support stronger encryption algorithms to resist attacks. Browser makers are helping companies replace TLS 1.0/1.1 However, while the TLS 1.0/1.1 deprecation process officially started in June 2018, in October 2018 all browser makers including Apple, Google, Microsoft and Mozilla announced plans to remove TLS 1.0 from their browser code And TLS 1.1, it got the biggest boost.

Various CERTs and national security agencies are also working to warn and encourage companies to migrate their IT infrastructure to newer standards. One of the most recent efforts comes from the shadowy US National Security Agency (NSA), which released a rare guidance document [PDF] urging companies and government organizations to replace outdated protocols like TLS 1.0 and TLS 1.1. 32 million devices are still using TLS 1.0/1.1 However, despite these efforts, some organizations are still lagging behind, or the two protocols may never be replaced because the servers they come with run on devices without an update mechanism. Currently, more than 32 million servers and devices still expose TLS 1.0 and TLS 1.1 connection points online, according to IoT search engine Shodan.