Moving to TLS 1.2

Bruce Morton

SSL Pulse SSL/TLS LevelIn 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol.

Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that only 26 percent of the top 200,000 websites support TLS 1.2.

With attacks on cipher block chaining (CBC) and RC4, it is encouraged that websites also enable TLS 1.2. The benefit is that TLS 1.2 supports expansion of support for authenticated encryption ciphers with AES-GCM cipher suites that are not prone to these attacks.

How do you know if your browser supports TLS 1.2? Go to How’s My SSL and it will tell you how good your browser is doing and which version of TLS it supports. If your browser does not support TLS 1.2, then this is probably a configuration setting you can turn on.

What about your website? Go to the CASC SSL Configuration Checker. This site will give you a grade for your website and will tell you which versions of SSL/TLS you support. If you do not support TLS 1.2, your site will not get an A grading. If you do support SSL 2.0, then your site will get an F grading. With users performing these checks, website owners will be encouraged to support the right levels of SSL/TLS protocol.

Microsoft is moving to TLS 1.2. They were the first to support TLS 1.2 with Internet Explorer 8. In version 11, they have set TLS 1.2 on by default. It will be encouraging if the other browsers take the same position.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation