Bulletproof TLS Guide  

A web site intended for public use needs to support TLS 1.3 and TLS 1.2 at minimum. You can still use TLS 1.1 and TLS 1.0 if you need to reach a wide audience. The remaining protocols, SSL 3 and SSL 2, are both obsolete and insecure. Let’s consider each protocol in turn:

• SSL 2 is completely broken and must not be used. This is the first ever protocol version and is so bad that it can be used to attack even well-configured servers that use overlapping certificates or private keys (the so-called DROWN attack).

• SSL 3 is better, but still insecure when used with HTTP because of the POODLE attack. It’s also very weak when used with other protocols. It’s obsolete and lacks essential security capabilities. Don’t use.

• TLS 1.0 is a legacy protocol that lacks essential security capabilities. Modern clients no longer support this protocol version, but there are still old clients out there that need it. TLS 1.0 is vulnerable to the BEAST attack, although most browsers have deployed mitigations as a workaround.

• TLS 1.1 is also a legacy protocol that lacks modern capabilities. It's usually not needed at all, because all clients that support it also have support for TLS 1.2.

• TLS 1.2 is a relatively modern protocol that can provide good security, but it supports both bad and good cryptographic primitives. It can be used securely, but doing so requires more effort. This protocol version is necessary in order to support a wide range of customers.

• TLS 1.3 is a completely reworked revision of TLS. It’s secure by default and requires no further configuration effort. This protocol version, which modern browsers support, should be what protects most of your network communication.

If you need to support older clients and wish to enable TLS 1.0, base your decisions on evidence, not fear. These protocols are seen as not secure enough; for example, the PCI DSS standard no longer allows them.