As part of our ongoing commitment to security best practices, Housing Online will raise the minimum standards of the cryptographic protocols we use to provide communications security across our network. From 1st February 2021, we will disable support for TLS 1.0 and TLS 1.1 and TLS 1.2 will become the minimum supported version.
“As part of our ongoing commitment to security best practices, from 1st February 2021 we will be raising the minimum standards of the protocols we use to provide security across our network”
What is TLS?
TLS stands for Transport Layer Security and is a security protocol used to ensure secure communications between two systems. TLS originally evolved from the Secure Sockets Layer (SSL) developed by Netscape in the mid-1990s. As understanding of security vulnerabilities grew, SSL was superseded by TLS 1.0 in 1999, with TLS 1.1 released in 2006, TLS 1.2 in 2008 and TLS 1.3 in 2018. The TLS protocol is designed to provide privacy and data integrity between two or more communicating computer applications and is used extensively in applications like web browsing, email and instant messaging.
You can read more about the development of Transport Layer Security on wikipedia.
Why are we disabling TLS 1.0 and TLS 1.1?
Older protocols are a security risk. A lot has been learned in the 20+ years since TLS 1.0 was introduced. Early versions of TLS have repeatedly been proven susceptible to serious vulnerabilities like BEAST (read all about BEAST attacks on wikipedia here).
In particular the PCI DSS, the information security standard used to handle online card payment, now requires that all websites must be using at least TLS 1.1 in order to comply with their minimum standards.
In practice, TLS 1.1 is rarely used and most software now uses TLS 1.2. Our aim is to raise our own protocols to comply with the new industry standards and to close possible vulnerabilities in our security.
What is the impact?
All modern browser and operating systems now support at least TLS 1.2, so the impact of this change for our users should be minimal.
We analysed our web traffic for the first 9 months of 2020 and saw that only 0.0045% of visits were from potentially affected configurations.
Internet Explorer 8, 9 and 10 on Windows 7 and Windows 8 do not support newer versions of TLS by default, but they can be manually enabled by the user. Internet Explorer 11 on Windows 7 or later supports TLS 1.2 by default.
In the unlikely event that you are affected by this restriction, you can find more information on how to enable TLS 1.2 in Internet Explorer in articles like this: Enabling TLS 1.2 on Internet Explorer.
If you have any concerns about these changes, please let us know.