Office 365 Services Dropping TLS 1.0 Support in October
Microsoft wants organizations to stop using the Transport Layer Security (TLS) 1.0 and 1.1 protocols, and it is giving Office 365 users a specific deadline to move to the current TLS 1.2 protocol.
That deadline is Oct. 31, 2018, according to a support article. Office 365 services will drop support for TLS 1.0 and 1.1 at that time, using TLS 1.2 instead. The date is actually an extension from an earlier described March deadline, according to a Microsoft Tech Community article.
The switch to TLS 1.2 could cause connection issues. Some clients and applications can't use TLS 1.2, namely the following apps per the support article:
- Android 4.3 and earlier versions
- Firefox version 5.0 and earlier versions
- Internet Explorer 8-10 on Windows 7 and earlier versions
- Internet Explorer 10 on Win Phone 8.0
- Safari 6.0.4/OS X10.8.4 and earlier versions
Organizations need to scan their computing environments for use of those older protocols, which could be hardcoded into software applications. One solution to such TLS 1.0 and TLS 1.1 dependencies is to update the underlying operating system software to a version that uses the newer TLS 1.2 protocol.
Office 365 users don't necessarily have to remove the TLS 1.0 and 1.1 protocols. Microsoft is just advising that those older protocols can't be used with Office 365 services after the October deadline date. Here's how Microsoft's support article put it:
Note Using TLS 1.2 with Office 365 does not mean you must have TLS 1.0/1.1 disabled in your environments by October 31, 2018. If parts of your environment require the use of TLS 1.0 and 1.1 on or after October 31, 2018, you can leave the older protocol versions enabled. However, TLS 1.2 will have to be enabled and used for communication with Office 365 to avoid any interruption in service.
TLS is actually the successor to the Secure Sockets Layer (SSL) protocol, although versions older than TLS 1.2 aren't up to the task of providing security. SSL 3.0 was long ago deemed flawed and subject to man-in-the-middle exploits.
Microsoft's white paper, "Solving the TLS 1.0 Problem," doesn't really explain exactly what's wrong with the older TLS versions, except that they were "first defined in 1999." It added that "evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely."
The white paper offers a checklist for IT pros on the issue. Organizations can address the problem by "removing TLS dependencies in their environments and disabling TLS 1.0 at the operating system level where possible."
The use of Windows 8 or Windows Server 2012 or later OS versions assures that TLS 1.2 was enabled by default. The white paper includes a table showing that Windows 7 and Windows Server 2008 don't have TLS 1.2 enabled by default.
Users of Microsoft Azure APIs will face a somewhat different deadline. Microsoft intends to create its new API management instances using TLS 1.2 by default, starting on April 1, 2018, although the older instances will remain unchanged, according to an announcement.
Users of Exchange Server products on premises also face the Oct. 31, 2018 deadline to get to TLS 1.2, according to an Exchange Server blog post. Organizations using Exchange Server 2010 and newer versions can install updates to address the disablement of TLS 1.0 and 1.1. However, versions older than Exchange Server 2010 are out of support, according to Part 1 of Microsoft's "Exchange Server TLS Guidance."
Microsoft estimated it'll publish Part 2 of its "Exchange Server TLS Guidance" sometime this month. Part 3 is planned for "mid-March."
Getting rid of old protocols can be considered good security oversight for organizations, according to Brandon Wilson, a Microsoft Premier Field Engineer for Active Directory. In a "Retire Those Old Legacy Protocols" post, he recounted other software protocols that have gone overlooked over the years as potential security holes, including the SMB 1.0 protocol, which was infamously exploited by WannaCrypt (or WannaCry) ransomware. He also suggests eliminating the LanMan/NTLMv1 and Digest Authentication protocols, along with TLS 1.0 and 1.1 and "all versions of SSL."
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.