UPDATE: On 07/23/19 Microsoft sent out notice that they are completely dropping TLS 1.0 and 1.1 support on June 1, 2020. The reference page outlining TLS support timeline has been updated accordingly to indicate that starting on that date, TLS 1.0 and 1.1 connections will cease to function. This invalidates significant portions of the original post below. Admins should make sure TLS 1.2 is enabled for all secure software that connect to Office 365 services.
There has been a lot of buzz over Office 365’s Oct. 31st change to TLS 1.0/1.1 support. Specifics can be found here, but essentially they are stopping development and helpdesk support for older versions of Transport Layer Security versions 1.0 and 1.1 in an effort to focus on the now ten-year old version 1.2.
They are not turning off 1.0 or 1.1 connections as previously reported (whew!), but that doesn’t mean you can stop paying attention. Search results unfortunately bring up passionate responses and misinformation regarding how this will affect our customers, so I’ve decided to write up a quick laymen’s overview of this change for the uninitiated.
What is Transport Layer Security?
In (very) brief terms, TLS is an encryption protocol for keeping internet traffic secure. You may have noticed that some website URL’s start with “http” while others start with “https”. The “s” stands for secure and you can generally assume that TLS is being used to encrypt https website traffic. It’s not just for web browsers though. TLS encrypts the data being shared between many types of programs across the internet. Such information might include login credentials, email, Skype for Business communications, and most other Office 365 traffic as well.
There are currently three versions of TLS in active use: 1.0, 1.1, and 1.2. The latest version in active use (TLS 1.2) was established in 2008. TLS 1.3 has been formally rolled out but is not in active use in most environments.
Each new TLS version is generally considered more secure than the previous version. Programs are designed to give priority to the most modern & secure version at their disposal. Programs can only use the versions that they are designed to support, and they can only use versions which are enabled.
How is TLS used by software?
Here is an extremely non-technical explanation of how TLS is used when two pieces of software communicate:
1. Program A initiates a conversation with Program B over the internet.
2. Before the programs share data, they agree to use the most recent (secure) version of TLS that they both support:
- Program A: “I support TLS 1.2, do you?”
- Program B: “No, sorry.”
- Program A: “I support TLS 1.1, do you?”
- Program B: “No, try again.”
- Program A: “I support TLS 1.0, do you?”
- Program B: “Yes! Let’s use that!”
3. Once the programs agree upon a TLS version to use for encryption, the programs share important things like certificates and encryption keys and then secure data transmission begins.
If the two Programs can’t agree on a version of TLS, data will either be sent non-securely or it will fail (depending upon how things are configured). I like to think of each version like a different human language: English, Spanish, Japanese, etc. If the computers don’t know the same language then they don’t talk.
How is TLS used by humans?
It’s currently considered best practice to stay up to date and keep applications patched and enabled to utilize the latest version of TLS. From a logistical perspective, most modern clients handle secure communication for the end user to make things easy. Admins are generally allowed more customization options to manage both clients and servers in their business environments. Sometimes admins choose to disable older, less secure TLS versions to avoid potential security issues. Sometimes admins don’t enable new versions simply because they don’ t know the options are available.
From a business perspective, sometimes software companies stop spending money to support old technologies (like TLS 1.0 and 1.1). In turn, they encourage their customers to upgrade to something more modern (cough cough, Microsoft…).
What’s happening at Office 365?
Microsoft is essentially telling us that they are focusing all efforts on TLS 1.2 from here on out because it’s more secure and they don’t want to spend money supporting old technologies. Starting in November 2018, if you have an Office 365 software issue that traces back to a TLS 1.0 or 1.1, Microsoft’s default answer will most likely be “Figure out how to enable TLS 1.2”.
<s>Microsoft is not disabling TLS 1.0 or 1.1 connections to Office 365 as many blogs will have you think. At least not yet. This is explicitly stated in the article linked above, and there is no projected date for when 1.0 or 1.1 will be completely deprecated. Doing so would break “a significant amount of the things.” If any of your systems are not 1.2-ready, they will simply fall back to 1.1 or 1.0 when connecting to Office 365. However, if your systems eventually become buggy because of that, you are on your own. If Microsoft eventually does disable 1.0 or 1.1 then you are also on your own. The wording is classic Microsoft.</s> <b>UPDATE:</b> As stated above, Microsoft has now outlined a plan to completely disable TLS 1.0 and 1.1 for Office 365 services.
In the article Microsoft outlines a specific scenario to look out for. Picture this:
Office 365 has TLS 1.0, 1.1, and 1.2 enabled. You have 1000 legacy mobile devices deployed that do not support TLS 1.2. One day hackers get in through a security hole in TLS 1.1, so Microsoft announces: “In 30 days we are disabling TLS 1.0/1.1 in Office 365”. Since Office 365 cloud services require secure connections you now have 30 days to upgrade 1000 mobile devices.
This scenario may never happen, but security-smart admins plan for the worst.
What actions do Office 365 customers need to take?
The answer to that is significantly out of the scope of this article because everyone organization uses different technology. However, based upon Microsoft’s official documentation I can say the following:
- Admins should consider a calculated move to get TLS 1.2 enabled in their environment if it isn’t already. This should have been a long-term, moving target anyway. TLS 1.3 is already here as of this year.
- <s>There is currently no requirement to disable TLS 1.0 or 1.1 in your environment unless you already had strict security or control-management needs. Those people should know who they are.</s>
- Microsoft has offered this guide for removing TLS 1.0 dependencies and building an action plan for migration to full 1.2 support.
Hope that helps!
Who We Are: Strategic SaaS is a Microsoft cloud solutions partner specializing in Mergers, Acquisitions, and Divestitures. We migrate identity management, messaging, document management, and information networking systems to Azure and Office 365. Give us a call today for our experience to ensure project success.
October 29, 2018