Office 365 will retire TLS 1.0 and 1.1 starting June 1st, 2020

July 24th, 2019 by Stephen Jones Leave a reply »

To provide best-in-class encryption, and to ensure the service is more secure by default, Microsoft is moving all of its online services to Transport Layer Security (TLS) 1.2+

Office 365 will be retiring TLS 1.0 and 1.1 starting June 1, 2020. This means that all connections to Office 365 using the protocols TLS 1.0 and TLS 1.1 will not work so prior to June 1, 2020.

Plan to replace clients and devices that rely on TLS 1.0 and 1.1 to connect to Office 365.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. It is an IETF standard intended to prevent eavesdropping, tampering and message forgery. Transport Layer Security (TLS), and the deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network and the protocols find are uses in applications such as: web browsing, email, instant messaging, and voice over IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers. The latest version – TLS 1.3 – is an overhaul that strengthens and streamlines the crypto protocol.

The work on TLS1.3 started in April 2014, and it took four years and 28 drafts before it was approved in March of 2018. Version 1.3 makes the handshake process faster by speeding up the encryption process. This has a security benefit, and will also improve performance of secure web applications. With TLS 1.2, the handshake process involved several round trips, whereas with 1.3 only one round is required, and all the information is passed at that time. In addition to security improvements, TLS 1.3 eliminated a number of older algorithms that did nothing other than create vulnerabilities.The updated protocol added a function called “0-RTT resumption” that enables the client and server to remember if they have communicated before.

The PCI compliance standards require that any site accepting credit card payments uses TLS 1.2 after June 30, 2018 Services such as PayPal, Authorize.net, Stripe, UPS, FedEx, and many others already support TLS1.2, and have announced that they will eventually refuse TLS 1.0 connections. This means your safest action is to upgrade to TLS 1.2+/3 sooner than later to avoid disruption. It also likely to be a consideration for GDPR compliance in the event of a breach if using an older protocol.

Advertisement

Comments are closed.