book cover

Bulletproof TLS Guide  

Comprehensive and yet concise guide to practical SSL/TLS and PKI configuration. Includes coverage of TLS server configuration and web application security. Written by Ivan Ristić.

< Prev
^ Table of Contents
Next >

1.2.1 Use Secure Protocols

A web site intended for public use usually needs to support TLS 1.3 and TLS 1.2 at minimum. It’s very likely that you don’t need TLS 1.1 and TLS 1.0; modern browsers no longer support them. The remaining protocols, SSL 3 and SSL 2, are both obsolete and insecure. Don't use them.

SSL 2 is completely broken

This is an ancient protocol version that is so bad that it can be used to attack even well-configured servers that use overlapping certificates or private keys (the so-called DROWN attack).

SSL 3 is obsolete and insecure

Although it received some scrutiny by the cryptographic community at its time of release, this protocol version was later found to be pretty bad. It’s old, obsolete, and insecure. Do not use it.

TLS 1.0 is a legacy protocol that lacks essential capabilities

This was the first protocol version to be considered reasonably secure, but it’s now obsolete. Modern user agents no longer support it, but you may come across some old tools that don’t know anything better.

TLS 1.1 is the protocol everybody ignored

TLS 1.1 has only small improvements over TLS 1.0. It was largely ignored by user agents, which is why today there probably aren’t any tools that support TLS 1.1 but don’t support TLS 1.2.

TLS 1.2 is not safe against quantum computers

With a significant time investment and tuning, TLS 1.2 can be used to provide good security considering today's threats, but it doesn't provide any protection against quantum computers. For these defences, the IETF is on the record stating that their focus will be on TLS 1.3 alone. As a result, TLS 1.2 is now definitely a legacy protocol that can be kept around only to support legacy clients.

TLS 1.3 is a robust modern protocol

Released in 2018, TLS 1.3 is a completely reworked revision of TLS that provides strong security and builds a foundation for the future. This protocol version, which modern browsers and user agents support, should be what protects most of your network communication. It's the only protocol version that will be upgraded to reisist quantum computers.

🛈︎
Note

Modern TLS versions are resilient to protocol downgrade attacks, which means that it's safe to support older protocol versions that are still not obviously insecure. If you need to support older user agents and wish to continue to use protocols such as TLS 1.2 and TLS 1.0, base your decisions on evidence, not fear. In fact, you should ideally have an established process to monitor your usage of all types of cryptography. When you determine from evidence that you no longer need an older protocol version or a particular primitive, just turn them off.

< Prev
^ Table of Contents
Next >