The Ides of Security | Episode 1810: Winter is Coming

The Ides of Security – episode 1810: Winter is Coming

I’ve been meaning to launch a monthly-or-so channel to communicate burning issues (or quirky insights) on a regular, expected basis. Whether this morphs into a blog, or a YouTube channel, or something new… that remains to be seen. But I’ll start in email, and here goes: The Ides of Security. As the reference to the Roman calendar suggests, these should be coming to you at roughly the middle of each month [or so]. This month’s episode: Things you’ve been using for a long time are going to be pulled out from under you very soon. Think about getting ready…

Yesterday, ZDNet had a remarkable article. Sure, we knew it was coming, but this was a splash:

“Chrome, IE, Edge, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020”

https://www.zdnet.com/article/chrome-edge-ie-firefox-and-safari-to-disable-tls-1-0-and-tls-1-1-in-2020/

This, combined with what we know is coming early in 2020 from Microsoft:

https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

January 14, 2020 will see the end of extended support for:

Windows 7
Windows Server 2008
Windows Server 2008 R2

So, in the first half of 2020, with those last bastions of server versions that don’t support TLS 1.2 by default being consigned to the dustbin, there’s no reason for the big players of the web to finally discontinue versions of TLS from a decade or more ago. TLS 1.0 was released in 1999, replaced by TLS 1.1 in 2006. The current version (1.2) has been the Latest Thing since 2008. And the Next Thing (1.3) is pretty close to release.

We’re still working on getting rid of Windows 8 (retired 3 years ago), and I periodically find Windows XP boxes lurking in dimly lit corners. Given how quickly a large-ish organization can move, we should consider this a warning shot across the bow. You have about 15 months.

Upgrade to Windows 10 and Windows Server 2016.

Get those older Macs upgraded to a supported version. (10.12 through 10.14).

Get rid of all Apache 2.2.x (yes, this affects Linux too).

Disable TLS 1.0 and 1.1 on your servers, so that current clients will still be able to talk to you.

Anticipate hiccups and unexpected complications along the way. Start now. Don’t wait. Winter is coming. January 2020 will be here before you know it, and if you’re not ready, you may not be able to talk HTTPS.

Thanks for listening!

Steve