Forum Discussion
TLS 1.3 and older versions
Here is the annoucement today or at least that which I received today.
-----------------------------------------------------------------------------------------------------------------
Following the announcement on 10 November 2023, we’re continuing our transition to requiring TLS 1.2 or later for all connections to Azure services.
To minimize disruption to customer workloads, several services will continue supporting TLS 1.0 and TLS 1.1 versions and complete their transitions by 31 August 2025 when TLS 1.2 or later will be required for all connections to Azure services (unless explicitly indicated in service documentation). The list of remaining services will be updated as transitions to TLS 1.2 or later complete.
While the Microsoft implementation of TLS 1.0 and TLS 1.1 versions isn’t known to have vulnerabilities, TLS 1.2 or later versions provide improved security features, including perfect forward secrecy and stronger cipher suites.
Customers still using TLS 1.0 or 1.1 should transition their workloads to TLS 1.2 or later versions to ensure uninterrupted connectivity to Azure services.
------------------------------------------------------------------------------------------------------------
Now when was TLS 1.0 first commissioned? according to StackExchange in May of 1996.
TLS 1.0 is so bad most organizations stopped using it a long time ago. Personally, I have used TLS 1.3 since it has entered the market. And this is driven by the OS version as to when it is released as the protocol is so elementary to network communictions, in conjuction with tcp/ip, that it makes no sense whatsoever to even fire up your computer and think about doing anything meaningful without TLS. And TLS 1.3 is a complete rewrite from the ground up with no known security issues, assuming of course, one is not being targeted by a government body using quantum computers.
So the point is why is Microsoft just announcing the retirement of TLS 1.0? Why not, also, the retirement in tandem with TLS 1.1? The two place very serious risks on network communications over the internet often without one even knowing they are using these less secure versions.
On a VM for less than $10 a month I can use TLS 1.3 as a standard built into linux but Microsoft has this TLS 1.0 security hole still built into its products like Azure. At the same time Microsoft will upsell you and push Microsoft Defender for the Cloud for $1,995.00 per month to keep you up to speed of the security holes which Microsoft has failed to correct or allowed to persist. It seems as though some things never change with Microsoft.