Improved web sites security
Published by Georgi Sotirov at 2021-01-23 13:19:59 UTC, changed at 2021-01-26 06:40:17 UTC
I was considering dropping support for TLS v1.0 and v1.1 protocols for the hosted web sites since 2016, when it was suggested, but I was still seeing such clients in the logs (and unfortunately I still do even today). I was thus reluctant, because such clients would NOT be able to access the sites anymore. However, we are 2021 now and there are no excuses for using too old and insecure clients (i.e. browsers).
Therefore, since about 12:00 UTC today the hosted sites are no longer supporting TLS v1.0 and v1.1 clients. I also disabled weaker ciphers like CBC. This effectively cuts the following browsers as SSL Labs' report shows:
- Android 4.3 and earlier;
- Internet Explorer 10 and earlier;
- Java 7 and earlier;
- Safari 8 and earlier.
If you are still using any of these apart from testing purposes in isolated environments (like me), then too bad for you. It is really time to upgrade!
This is considered a necessary step for improving web sites security and something that perhaps should have been done earlier. The changes were done following Mozilla's Server Side TLS recommendations. It is not possible to enable TLS v1.3 for now, because this requires OpenSSL 1.1.1 or later, which would become available with Slackware 15.0 hopefully later this year.
Happy surfing and stay safe!
Update 2021-01-26: Apparently, NSA urged for the same just three days ago :-)