Overview
Transport Layer Security (TLS) is the cryptographic protocol that secures the majority of modern internet communications. TLS 1.0 was standardised in 1999 and TLS 1.1 in 2006; both have since been formally deprecated by RFC 8996 (March 2021) due to inherent design weaknesses and the availability of practical attacks against them. Servers that still advertise support for these versions during the TLS handshake allow clients to negotiate a connection using broken cryptographic primitives, undermining the confidentiality and integrity guarantees that TLS is intended to provide.
Sensagraph automatically detects TLS 1.0 and TLS 1.1 support during its continuous transport-layer security assessments.
How it works
During a TLS handshake the client sends a ClientHello message listing the protocol versions and cipher suites it supports. If the server accepts TLS 1.0 or TLS 1.1, both parties may negotiate a session using those older protocol frames. The following weaknesses are inherent in these versions:
- BEAST (Browser Exploit Against SSL/TLS): Affects TLS 1.0 because it uses CBC mode with a predictable IV chained from the previous record, enabling chosen-plaintext attacks against session cookies.
- POODLE (Padding Oracle On Downgraded Legacy Encryption): Although originally an SSL 3.0 attack, variants target TLS 1.0's CBC padding, allowing a man-in-the-middle attacker to decrypt individual bytes of ciphertext.
- LUCKY13: A timing side-channel attack against CBC-mode MAC-then-encrypt constructions used in TLS 1.0 and 1.1, enabling partial plaintext recovery.
- Weak PRF and MAC algorithms: TLS 1.0 uses a combination of MD5 and SHA-1 in its Pseudo-Random Function (PRF), both of which are considered cryptographically broken. TLS 1.1 improved the IV handling but retained the same weak PRF.
- Downgrade attacks: Servers that support both modern and legacy TLS versions can be forced into negotiating the weaker version via network-level interference, even when clients prefer TLS 1.2 or 1.3.
- Absence of AEAD cipher suites: TLS 1.0 and 1.1 do not support Authenticated Encryption with Associated Data (AEAD) cipher suites such as AES-GCM, which are mandatory in TLS 1.3 and strongly recommended in TLS 1.2.
Business impact
Enabling TLS 1.0 or TLS 1.1 creates exposure across several dimensions:
- Data confidentiality: Active network attackers (e.g., on shared Wi-Fi, or via BGP hijacking) may exploit the weaknesses above to partially or fully decrypt session traffic, exposing credentials, session tokens, and sensitive data.
- Compliance and regulatory risk: PCI DSS has required migration away from TLS 1.0 since June 2018. HIPAA guidance, NIST SP 800-52, and many national data-protection frameworks mandate TLS 1.2 or higher. Failure to comply can result in audits, fines, or loss of payment-processing capability.
- Browser trust degradation: Major browsers (Chrome, Firefox, Safari, Edge) removed support for TLS 1.0 and 1.1 in 2020–2021, so users on those browsers will receive security warnings or connection failures, harming user experience and brand trust.
- Third-party and API partner requirements: Many payment processors, cloud providers, and API consumers formally reject TLS 1.0/1.1 connections, causing integration failures for organisations that have not migrated.
How to fix it
- Disable TLS 1.0 and TLS 1.1 at the server or load balancer level. Set the minimum accepted protocol to TLS 1.2, and enable TLS 1.3 where the platform supports it. Configuration syntax varies by software:
- Nginx:
ssl_protocols TLSv1.2 TLSv1.3; - Apache:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - IIS: Disable via registry keys under
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocolsor via IIS Crypto / Group Policy. - HAProxy:
ssl-min-ver TLSv1.2
- Nginx:
- Verify the change with a protocol-level scan after applying the configuration to confirm TLS 1.0 and TLS 1.1 handshakes are rejected.
- Pair with a strong cipher suite policy. Even on TLS 1.2, disable weak cipher suites (RC4, 3DES, export-grade ciphers, anonymous DH). Prefer ECDHE-based AEAD suites (e.g.,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). - Enable TLS 1.3 wherever supported. TLS 1.3 eliminates the vulnerable handshake modes present in earlier versions, mandates forward secrecy, and supports only AEAD cipher suites.
- Check all TLS-terminating endpoints in the environment — including CDN edge nodes, API gateways, internal microservices, mail servers, and database connections — not just public-facing HTTPS.
- Assess client compatibility before disabling. Review access logs to identify any remaining TLS 1.0/1.1 clients; notify or migrate them before cutting support. Very old devices (e.g., Android < 5.0, IE 10) cannot negotiate TLS 1.2 without updates.
- Reference Mozilla's TLS configuration generator (ssl-config.mozilla.org) for server-specific recommended configurations aligned with current best practices.
References
- RFC 8996 – Deprecating TLS 1.0 and TLS 1.1 (IETF, 2021)
- OWASP Top 10 A02:2021 – Cryptographic Failures
- CWE-326 – Inadequate Encryption Strength (MITRE)
- OWASP TLS Cheat Sheet
- Mozilla SSL Configuration Generator
- NIST SP 800-52 Rev. 2 – Guidelines for TLS Implementations
- PCI SSC – Migrating from SSL and Early TLS (Information Supplement)
- Adam Langley – Chrome and BEAST (BEAST attack background)