Microsoft retiring older TLS another nail in Windows 7’s coffin

Users of older browsers to connect to Office 365 to get their day’s work done are, from today, being given another incentive to upgrade.

Microsoft is withdrawing support of encryption technology TLS versions 1.0 and 1.1, so anyone attempting to connect to their O365 account using the protocol — such as from an older browser — will find themselves unable to log in. Redmond is making the move because the protocols, which have a history going back several decades, are prone to compromise from a range of attacks.

The most affected users by number will probably be those still running Windows 7 or earlier (like the Windows XP hold-outs who remain, still, in significant numbers), Android version 4 users, and those running Mac OS X from versions 10.8 down.

Microsoft is keen to point out that its own implementations of TLS have “no known security issues”, although the protocol is known to be inherently exploitable.

Transport Layer Security runs on top of internet protocols such as FTP and HTTP and replaced SSL around the turn of the millennium. It works by two machines encrypting traffic between them symmetrically after they have exchanged a pre-agreed cryptographic key.

Clearly, each silicon party has to “trust” the other, a situation that is increasingly attractive to bad actors with the massive rise of machine-to-machine interactions on the modern internet.

TLS 1.0 and 1.1 deprecation dates updated! If you’re still using IE11 (ducks), note that IE11 will soon have TLS 1.0/TLS 1.1 disabled (this note says 9/8/2020, but other articles say Spring 2021)! Either way, out with the old, in with the new!!! https://t.co/84th3uDifM

— Chris Gill ☁️ (@cgill) September 1, 2020

Spoofing machine certificates, for example, is one way that attackers have been able to compromise digital comms between computers in the past, so Microsoft’s decision makes the Office 365 environment a great deal safer.

Kevin Bocek of Venafi, a company specializing in machine identity management, said, “TLS is the standard for communication on the Internet and depends on machine identities – digital certificates – to establish trust and authentication. TLS certificates are a vital type of machine identity, part of the system of online trust that our entire digital world is built on. They enable machines to know what can or can’t be trusted, and communicate with each other securely.”

He continued: “Yet still today some services allow the use of decades-old TLS 1 and 1.1 protocols that have been found to be vulnerable to a number of cryptographic attacks. Microsoft’s decision to remove these outdated protocols from tomorrow is, therefore, a major boost for the security of Office 365 users: the risk of attackers tricking, spoofing, and looking trusted is reduced thanks to the power of TLS machine identities. Yet for the handful of those still using older browsers, they’ll need to upgrade, or face the prospect of losing their connections to Office 365 services.”

Readers wishing to learn more about machine identity management can do so by listening to TechHQ‘s podcast, Tech Means Business, series 2, episode 3.

With today’s businesses increasingly reliant on cloud-based services, ensuring the security of traffic to and from endpoints on the internet is now as important as, if not more so, than perimeter security, as epitomized by firewalls, intrusion detection systems, and packet-scrubbing proxies, for example.

Ironically, Microsoft’s own advice has been to remove such proxies that might exist internally when using O365 in order that they not negatively impact users’ experiences by slowing traffic or blocking ports to required services. The company’s insistence on a modern browser to connect to O365 is, therefore, a positive step, but one that has to be seen in the overall context of maintaining a proactive security posture by internet users.