Microsoft is encouraging the change to TLS 1.2

18 Aug 2017 | Jindřich Zechmeister

The Microsoft Corporation wants to force their customers – particularly their corporate customers – to switch to the newest version of the protocol TLS. The manufacturer will even upgrade the older Windows server 2008 to supporting the protocol TLS 1.2. by the end of this summer. Reason for this is the inevitable improvement of the security, which remains static on the two decade old and therefore unsecure protocol TLS 1.0. A tutorial, which will be provided directly by the Redmond headquarters, will simplify the end of the support on the Windows platform for the user.

The support of TLS 1.0. is going to end shortly

The corporation declares, that their customers ought to switch from TLS 1.0. to TLS 1.2. as soon as possible. Customers will not only be prompted, but forced to do so – by limiting the support in the current products. The current, latest version of TLS 1.2. was developed in 2008; its replacement TLS 1.3. is only now approaching its distribution on the software devices.

The age-old SSLv3 could finally be successfully eradicated after various security incidents, but the majority of the (not only corporate-) systems supports and uses old and vulnerable protocols to this day. TLS 1.0. for instance, is being threatened by POODLE (the original version was only jeopardising SSLv3, but the later issue is also a risk for the TLS protocols).

However, the problem behind this is the lack of TLS 1.2. in older products. Affected are in detail the systems Windows Vista, Windows 7 and Windows Server 2008. Vista and WS 2008 do not support TLS 1.2. at all, this feature was only introduced for Windows 7 and WS 2008 R2 – however, it is not active in the latter.

Support of SSL and TLS on Windows and Windows Servers. Source: blogs.microsoft.com

The table above clearly shows, that TLS 1.2. needs to be added to the Windows Server 2008. On WS 2012 and later systems, the TLS 1.2. support is already activated in the default settings.

If you are interested in TLS 1.2. not from an administrator´s but a user´s point of view, you can check your browser´s abilities with the SSL/TLS Capabilities of Your Browser test by SSLlabs. Similar to the SSL/TLS server test, you will see the versions of the protocols, which the browser is compatible with. The test is also able to point out possible vulnerabilities of your browser. If your browser - respectively your operating system – is unable to communicate with TLS 1.2., you should consider upgrading to a newer version.

Windows Server 2008 will be upgraded to TLS 1.2. this year

We know what the primary problem is – the lack of TLS 1.2. support on the Windows Server 2008. Currently, the older WS 2008 is only supported within an added feature, which will end in 2020 – but is still being used nonetheless. The expanded support implies, that Microsoft provides patches for security gaps and vulnerabilities until 2020, but the product is not being developed any further.

Nevertheless, WS 2008 is expecting an update, which will allow the usage of TLS 1.2. Its users can look forward to the currently most modern protocol TLS instead of the old TLS 1.2. However, server administrators should definitely upgrade to the Windows server 12 or 2016, as this will significantly simplify the administration of SSL certificates in IIS. The biggest difference is the support of SNI and the fact, that there is no more need to assign IP addresses to individual SSL certificates.

Microsoft itself will help make the change

Microsoft knows about the complications that will occur with the end of the popular protocol, which is a part of all MS products. The manufacturer would like to help the administrators by providing the manual Solving the TLS 1.0. Issue, which is ought to become a guideline that will make the end of TLS 1.0. easier.

---