Suggestion to Disable TLS 1.0 and TLS 1.1 for all users

[SMARTDODO]

Hi there:

 

I wish to request for Heliohost to disable TLS 1.0 and TLS 1.1 for all its users.

 

Given that the industry is moving forward with depreciating TLS 1.0 and TLS 1.1 and with browsers dropping support for these versions - Microsoft (July 2020), Google (July 2020), Mozilla (June 2020) and Apple (March 2020), and with TLS 1.0 no longer acceptable for PCI DSS compliance, this move would help increase the security of all websites secured with SSL.

 

TLS 1.3 also offers increased speed for users, and with the percentage of connections on TLS 1.0 and TLS 1.1 steadily decreasing, I believe it is the right time to disable them for all heliohost users.

 

Thank you! 

[wolstech]

One thing to keep in mind here: older devices don't support 1.2+ (older phones, anything with Windows XP, etc.). Turning these off means losing these devices entirely (not that XP works with ssl anyway, it can't handle SNI-based SSL connections if i remember right and we rarely if ever have someone buy a dedicated IP for ssl anymore).

[Krydos]

.59% of our traffic comes from windows xp still. Even worse .03% of our traffic came from windows server 2003.

[Piotr GRD]

@wolstech

I use XP and I have a support for SNI-based SSL with no problem in such browsers like Firefox, Chrome, Opera (even the old "real" one v12) or with cURL used with PHP. I didn't check the cURL, but newer browsers (not Opera v12) for default are using TLS 1.2.

 

However there IS a problem with connecting to SOME websites/servers. I'm not sure why exactly, but probably because of the way the 'handshake' is made or because of how the certificates are verified.

 

 

@SMARTDODO

What is a difference for YOU using TLS 1.2 or 1.3 for your connections if SOMEONE ELSE is using TLS 1.1 or 1.0 or is not using encryption at all? Why do you want to force on EVERYONE to use only newest encryption methods?

 

Remember that forcing newer encryption methods means that you are forcing updates of software. Updating software quite often means forcing the system updates. Forcing system updates quite often means forcing the hardware upgrade or change.

 

What's for to change the hardware if old one is still working? That's not economical AND not ecological. Even if you will properly in 100% recycle the old hardware (which is currently not tha case) then while transporting it, during the whole recycle process, during production of new hardware, packing it and transporting (very often on very large distance) you are using additional  resources and producing additional trash and pollution.

 

In my opinion the old hardware should be used for as long as it's possible and that's why I don't really understand this eagerness to update and upgrade everything so quickly with disabling support for older softwares, which means cutting access for everyone that can not or don't want to get new hardware.

 

And no, security is not an argument for me, because with having old system and old software and computer running 24/7 I have no problems with security since... 2006? And in 2006 that was simply my stupidity and not system or software problem. If someone is conscious/aware computer user than can use older software and have no problems, while if someone is unwise then even yesterday's update won't be enough to protect him.

[wolstech]

The newer browsers can support newer TLS on XP, but from my understanding that’s because they come with their own libraries for SSL (OpenSSL or the like).

 

The native windows schannel and related don’t support these on XP, so any software that relies on the system libs to connect will fail.

[Computer Nerd Kev]

@Piotr_GRD I agree entirely, inidviduals with browsers that support the newer encryption standards can use those without needing to force upgrades on others. In fact my favourite browser is Dillo, and although it can be built to work with TLS 1.2 (maybe even TLS 1.3), SNI is causing me all sorts of trouble. A lot of my browsing (where I don't need to log in) is going via a web proxy that serves over HTTP now, just so that I can use the browser that I like. I'm planning to write a patch to get SNI working in the current stable version myself when I get the chance.

 

Also on my sites I only use HTTP to HTTPS redirects for parts where user information is transfered. For general browsing of publicly viewable webpages HTTPS has only very limited advantages for privacy, and there is no need to force it on people who might not be so paranoid about others potentially finding out (with some fair degree of effort) what page they've viewed within a website.

 

Well rant over. Back on the TLS topic, according to this service (and problems with old browsers that I try to run affirm it) TLS 1.0 and 1.1 are already disabled on Tommy:

https://www.ssllabs.com/ssltest/analyze.html?d=tommy.heliohost.org

 

A more productive debate might be over whether TLS 1.3 should enabled (that site says it's not on Tommy), for those who do have the latest browsers and want to ensure maximum security when they connect.

[wolstech]

The lack of TLS 1.0 on tommy was actually a problem for me 2 weeks ago. I recently got tasked with connecting a network of XP machines (which cannot be upgraded due to special software) to a service I run on tommy for monitoring, and needless to say it doesn't work (the client half uses the native windows functions...). I ended up settling for removing the ssl redirect on the server and rebuilding the client to use no encryption at all...

 

Speaking of which, in the opposite direction, would it be possible to turn these (especially 1.0) back on for tommy? I would prefer the TLS if possible because the client app I mentioned above is transferring system info that could include things like WiFi network SSIDs and account usernames.

[Krydos]

Alright, thanks for the suggestions everyone, and thanks to Smartdodo for starting this discussion.

 

@everyone, Tommy and Johnny have newer versions of cpanel than Ricky, and apparently in the newer cpanel versions they have TLS 1.0 and TLS 1.1 disabled by default. Ricky has an older version of cpanel that has TLS 1.2, TLS 1.1, and TLS 1.0 enabled by default. None of the servers had TLS 1.3 enabled. I went ahead and enabled TLS 1.3 for all three servers. The reason TLS 1.3 wasn't enabled is because the secure protocol string was getting unwieldy

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

and everyone was required to add another - each time a protocol was deprecated and started to have known vulnerabilites. So to make things simple people began just using

SSLProtocol TLSv1.2

before TLS 1.3 even existed. That way it disabled all the old stuff that was broken, but unfortunately it didn't allow for new protocols when they were developed. Our servers were all capable of TLS 1.3, but since we had that old protocol string hanging around it wasn't enabled.

 

@wolstech, I also had an issue with an old client not working with Tommy's SSL, and ended up disabling SSL entirely for the server side points on my domain where that old script needed to communicate. I wasn't transmitting any sensitive information though. Just blocks of text that were being processed by php on the server, and inserted into database. Apart from you and I though, I haven't heard any complaints or anyone wanting support for TLS 1.0 or TLS 1.1, which has apparently been disabled since I rebuilt Tommy v2 in August 2019.

 

@smartdodo, I experimented a bit and it's possible to enable/disable ssl protocols on a per virtualhost basis. Here is what the default Ricky ciphersuite/protocol looks like now: https://www.ssllabs.com/ssltest/analyze.html?d=krydos1.heliohost.org I'm going to leave TLS 1.0 and TLS 1.1 enabled on Ricky for now for a couple reasons. First, some people may be silently relying on it, and changing it would drive them away. Also, HelioHost has always had a policy of trying to be as backwards compatible as possible. We supported frontpage for like 15 years after it was discontinued because some of our users still needed it. You only have one domain hosted on Ricky so I went ahead and disabled TLS 1.1 and TLS 1.0 for your domain only. The rest of Ricky's domains will remain as they are. If you check the report for your domain https://www.ssllabs.com/ssltest/analyze.html?d=ohjiajun.com it shows TLS 1.0 is still enabled, but if you hover over the yes you can see that it only responds to TLS 1.0 when the client doesn't support SNI. That's the best I can do with Ricky for now. If you want to transfer your account to Tommy it would look like this by default https://www.ssllabs.com/ssltest/analyze.html?d=krydos.heliohost.org The next time I rebuild Ricky I will change the default to TLS 1.1 and TLS 1.0 being disabled for everyone, and people can request if they need those old protocols.

 

@wolstech, likewise I can probably enable TLS 1.0 on just one of your domains, and leave it disabled for the rest of the server. Let me know the domain you want (you have like 30 domains) and I can try setting that up for you.

 

@everyone, another thing I would like to point out with regards to disabling TLS 1.0 and TLS 1.1 for everyone is google still allows those protocols: https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=172.217.5.110&hideResults=on

[wolstech]

Can you turn it on for si3.raxsoft.com, raxdev.raxsoft.com, and sso.raxsoft.com? Those are the three that have APIs that could be targeted by XP boxes.

 

As for having 30 domains, there's a bunch more than normal simply because I have twins running of some things at the moment due to being in the middle of modernizing things. The new stuff is on Lily, old stuff is on tommy.

[Krydos]

Cloudflare is kind of complicating things, but it shows TLS 1.1 and TLS 1.0 as yes on this test now https://www.ssllabs.com/ssltest/analyze.html?d=sso.raxsoft.com&s=172.67.205.17&latest

[wolstech]

I'll probably have to put it on DNS Only for those domains to get everything working.

 

CF is annoying, but I'm stuck with it since lily uses a wildcard cert my domains. The tool I use for autossl needs it for its API so it can update DNS records for cert renewals.

 

I'll try one of those XP boxes when I get a moment and see if the encryption works now though. Thanks.

[Guest adjunct]

I strongly agree to keep TLS 1.0 and 1.1 disabled. I believe, since most traffic is already TLS 1.2+, that keeping old TLS versions has become largely irrelevant and insecure. I mean, this creates the possibility of TLS downgrade attacks to older TLS versions with flawed and weak ciphers, and thus, to ensure the safety and encryption of data transmission, old versions should eventually be phased out. People should still be able to move forward despite a few people who refuse to upgrade, to finally be able to benefit the perks of newer stuff fully without every worrying about old stuff. Besides... TLS 1.2 and 1.3 support can be compiled in almost every web client of any kind if the source code was released, and for old hardware, lightweight Linux distributions or Windows Thin Clients fully do the trick to repurpose the stuff. It's important to reminder that even if you still can do all the stuff without catching malware and other still like that, doesn't mean other people aren't going to as well, and those who want TLS 1.0 and 1.1 are part of the meager minority that still uses them.

 

I am very glad you kept TLS 1.0 and 1.1 disabled on Tommy, since I'm there, but I am wondering why did you restrict TLS 1.2 to so few ciphers?

[Krydos]

That's just the default for cpanel.