There has been a lot of buzz over Office 365’s Oct. 31st change to TLS 1.0/1.1 support. Specifics can be found here, but essentially they are stopping development and helpdesk support for older versions of Transport Layer Security versions 1.0 and 1.1 in an effort to focus on the now ten-year old version 1.2. They are not turning off 1.0 or 1.1 connections as previously reported (whew!), but that doesn’t mean you can stop paying attention. Search results unfortunately bring up passionate responses and misinformation regarding how this will affect our customers, so I’ve decided to write up a quick laymen’s overview of this change for the uninitiated.
What is Transport Layer Security?
In (very) brief terms, TLS is an encryption protocol for keeping internet traffic secure. Ever notice some websites start with “http” while others start with “https”? The S stands for secure and, you can generally assume that TLS is being used to encrypt https website traffic. It’s not just for web browsers though. TLS encrypts the data being shared between many types of programs across the internet, like logins, email, Skype for Business, and most other Office 365 traffic.
There are currently three versions of TLS in active use: 1.0, 1.1, and 1.2. Version 1.2 was established in 2008. It’s all pretty behind the scenes. Each new version is considered more secure that the previous version, and programs are designed to give priority to the most modern & secure version at their disposal. Programs can only use the versions that they are designed to support and that they have enabled.
How is TLS used by software?
Here is an extremely non-technical explanation of how TLS is used when two pieces of software communicate:
1. Program A initiates a conversation with Program B over the internet.
2. Before they share data, they agree to use the most secure version of TLS that they both support:
- Program A: “I support TLS 1.2, do you?”
- Program B: “No, sorry.”
- Program A: “I support TLS 1.1, do you?”
- Program B: “No, try again.”
- Program A: “I support TLS 1.0, do you?”
- Program B: “Yes! Let’s use that!”
3. Using TLS 1.0 (the least secure version), the programs share important things like certificates and encryption keys, and then secure data transmission begins.
If the two Programs can’t agree on a version of TLS, either communication will be sent unencrypted or it will fail (depending upon how things are configured). I like to think of each version like a different human language: English, Spanish, Japanese, etc. If the computers don’t know the same language then they don’t talk.
How is TLS used by humans?
It’s currently considered best practice to stay modern and keep applications patched so that you have the latest TLS version available for use. Most modern clients handle all this for the end user, while server systems will offer checkboxes for admins to enable or disable the different versions. Sometimes admins choose to disable older, less secure TLS versions to avoid potential security issues. Sometimes admins don’t enable new versions because they don’ t know it’s available.
On the business side, sometimes software companies stop spending money to support old technologies (like TLS 1.0 and 1.1). In turn, they encourage their customers to upgrade to something more modern (cough cough, Microsoft…).
What’s happening at Office 365?
Microsoft is essentially telling us that they are focusing all efforts on TLS 1.2 from here on out because it’s more secure and they don’t want to spend money supporting old technologies. Starting in November 2018, if you have an Office 365 software issue that traces back to a TLS 1.0 or 1.1, Microsoft’s default answer will most likely be “Figure out how to enable TLS 1.2”.
Microsoft is not disabling TLS 1.0 or 1.1 connections to Office 365 as many blogs will have you think. At least not yet. This is explicitly stated in the article linked above, and there is no projected date for when 1.0 or 1.1 will be completely deprecated. Doing so would break “a significant amount of the things.” If any of your systems are not 1.2-ready, they will simply fall back to 1.1 or 1.0 when connecting to Office 365. However, if your systems eventually become buggy because of that, you are on your own. If Microsoft eventually does disable 1.0 or 1.1 then you are also on your own. The wording is classic Microsoft: vague and scary.
In the article Microsoft outlines a specific scenario to look out for. Picture this:
Office 365 has TLS 1.0, 1.1, and 1.2 enabled. You have 1000 legacy mobile devices deployed that do not support TLS 1.2. One day hackers get in through a security hole in TLS 1.1, so Microsoft announces: “In 30 days we are disabling TLS 1.0/1.1 in Office 365”. Since Office 365 cloud services require secure connections you now have 30 days to upgrade 1000 mobile devices.
This scenario may never happen, but security-smart admins plan for the worst.
What actions do Office 365 customers need to take?
The answer to that is significantly out of the scope of this article because everyone organization uses different technology. However, based upon Microsoft’s official documentation I can say the following:
- Admins should consider a calculated move to get TLS 1.2 enabled in their environment if it isn’t already. This should have been a long-term, moving target anyway. TLS 1.3 is already here as of this year.
- There is no requirement to disable TLS 1.0 or 1.1 in your environment unless you already had strict security or control-management needs. Those people should know who they are.
- Microsoft has offered this guide for removing TLS 1.0 dependencies and building an action plan for migration to full 1.2 support.
Hope that helps!
Who We Are: Strategic SaaS is a Microsoft cloud solutions partner specializing in Mergers, Acquisitions, and Divestitures. We migrate identity management, messaging, document management, and information networking systems to Azure and Office 365. Give us a call today for our experience to ensure project success.
October 29, 2018