SSL labs:increased penalty when TLS 1.2 are not supported

https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported

Earlier this week we released SSL Labs 1.17.10, whose main purpose were to increase the penalty when RC4 are used with Moder n protocols (i.e., TLS 1.1 and TLS 1.2). We had announced this change some time ago, and then put in place on the May 20. The same release introduced another change, which is to increase the penalty for servers this don ' t support TLS 1.2 from B to C. And it seems that this second change was being somewhat controversial, with many asking us to better explain what we did tha T.

Although what initially prompted us to think about changing the grading for not supporting TLS 1.2 was grade harmonisation (ensuring that a wide range of servers all get grades the-in and other words, to has better-configured server S has better grades), that's doesn ' t change the fact that the reality are that TLS 1.0 are an obsolete security protocol. TLS 1.0 came out in 1999, followed by TLS 1.1 in 2003 and TLS 1.2 in 2008. These new protocol versions were released for a reason – to address security issues with earlier protocol versions. But, despite being obsolete, TLS 1.0 continues to being the best supported protocol version on many servers. It's not very bad and mind you--we know from SSL Pulse so about 60% of servers already support TLS 1.2. Client-side, the situation is probably better, because modern browsers has supported TLS 1.2 since 2013. You could say this, overall server configuration is the weaker link.

In so light, we feel the increase of the penalty for the lack of TLS 1.2 are the natural next step in the Deprecatio N of TLS 1.0. In fact, SSL Labs are probably late in doing. Just last month, the PCI Security Council deprecated SSL V3 and TLS 1.0 for commercial transactions. No new systems is allowed to use TLS 1.0 for Credits card processing and existing systems must immediately begin to Transi tion to better protocols. In comparison, the SSL Labs change of grading are only a mild nudge in the right direction. And, while some people is not happy this we ' re pushing for TLS 1.2, others is complaining that we ' re not doing enough. For example, the Chrome browser have been warning about lack of TLS 1.2 and authenticated (GCM) suites for some time now. Clearly, it ' s difficult to make everyone happy.

The bottom line are that TLS 1.0 are insecure and we must migrate away from it. In (), there came the BEAST attack, and, in, the Lucky attack. TLS 1.0 remains vulnerable to the problems, but TLS 1.2 (with authenticated suites) isn ' t. These attacks is serious and some organisations continue to use RC4 on combination with TLS 1.0 just to being sure that they Is mitigated. We understand this many organisations face significant challenges adding the TLS 1.2, but it is unavoidable. In the computer technology, and in the security in particular, it's often necessary to keep running just to stay on place.

We did get the one thing wrong, however--we didn ' t communicate our grading changes in advance. It was wasn't our intention to surprise anyone. In fact, we ' d prefer much more if changes were smoother. To so end, in the future we'll be announcing all grading changes with at least one month notice, and hopefully more for Some more significant changes.

SSL labs:increased penalty when TLS 1.2 are not supported