Don’t Leave Your Environment Vulnerable
This Halloween, you should flee in terror from rotting, decrepit…versions of TLS. As of October 31st this year, Office 365 will no longer support TLS 1.0 and 1.1. The deadline was initially March 1st of this year; the extension to October 31st means a brief reprieve for anyone struggling to shift to TLS 1.2, the most recent version. In their announcement, Microsoft states that their implementation of TLS 1.0 “has no known security vulnerabilities,” yet are discontinuing support for it and its successor 1.1.
TLS (Transport Layer Security) is a cryptographic protocol integral to IT security, used to secure communication between servers, websites, and users in both public and private networks.
Microsoft’s reasoning becomes a little clearer with more context—and no, it’s not just because TLS 1.0 is approaching its twentieth birthday. In 2014, the delightfully-named POODLE (Padded Oracle On Downgraded Legacy Encryption) vulnerability was discovered. Since TLS 1.0 can downgrade to SSL 3.0 when necessary to complete informational transactions, malicious actors forcing the downgrade can use the insecure SSL 3.0 to access decrypted information between clients and servers. Shifting as many users as possible onto TLS 1.2 is Microsoft’s simplest way to remove this potential vulnerability.
As Kurt Mackie of Redmond Magazine points out, the good news is that for most users this only applies to those parts of their environment that communicate with Office 365 itself. Any sections of the environment that don’t require communication with Office 365 can remain on TSL 1.0 or 1.1, though it’s always a good idea to upgrade if at all possible.
Changes at Microsoft affect us all, so Cayosoft is happy to report that Cayosoft Administrator has already been tested and is ready for this upcoming shift. Cayosoft users on version 4.4.8 or later will not need to deploy anything new to prepare Administrator for the change.
For Microsoft’s recent announcement and whitepaper, see here. For further explanation of POODLE and its implications, see this post by Microsoft’s David Branscome. Kurt Mackie (@kurmac) dives into how to handle the shift to TLS 1.2 here.