Certified Security - Specialty

Sign Up Free or Log In to participate!

TLS1.0 Deprecation

The PCI council struck TLS1.0 from compliance on June 30th of last year: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

From a security perspective, the TLS1.2 configuration should be used nowadays.

3 Answers

Hi yes, however the ALB does still support legacy clients which may be using TLS 1.0. 

They do state not to use the Protocol-TLSv1 Security policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.


This will all be moot on or around 19-Jan-20.  All major browser vendors will turn off support for TLS 1.0 and 1.1 in their browsers.  As it stands today over 95% of crawled websites (including stats the browser vendors get from their clients) support TLS 1.2.  When TLS 1.0 and 1.1 are turned off next January this won’t be a big deal for anyone.  I would hope that AWS will create a new set of policies for the various TLS-aware services to support TLS 1.2 and 1.3 while dropping support for the older versions.

Lastly, look up TLS and read about TLS 1.3.  While the version number says it’s a minor update — it’s not.  1.3 is completely new and is NOT backward-compatible with earlier versions.  It doesn’t have to be since all major browsers will drop support for all but 1.2 in 9 months.  There is no timeline for when TLS 1.3 will become "real".  The top 3 browsers already support the latest (and possibly final) draft 28 of TLS 1.3.

You assume people update their browsers (or OS, or other software) as soon as updates are available. I have had to support IE6 as recently as 3 years ago because there are corporations that are locked in to certain versions of software for some reason. It’s one of the most infuriating things to do, but it is not uncommon.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?