Is it already the right time to say goodbye to TLS1.1 support on web servers?

Let's put the question the other way: What do you gain by disabling TLS 1.1?

Security

You and your quote seem to be implying that you want to move to TLS 1.2 because it's more secure than TLS 1.1. That's not really the case.

TLS 1.2 did add new crypto, for example you can now use AES instead of 3DES, or ECDHE instead of DHE. At the moment, there are no known attacks against those ciphers so you can't directly say that it's for security. 1.2 also replaces MD5 and SHA1. That is a security improvement, but for something as short-lived as a TLS connection, it's unlikely to be a major weakness.

So while TLS 1.2 offers newer crypto algorithms, the old ones are still considered acceptable, so it's hard to make a straight security argument.

Performance

Because of the newer ciphers, you will get slightly less server load when using TLS 1.2. TLS 1.3 will offer improved performance at the protocol level as well. These by themselves may be reasons to switch, but it really has nothing to do with security.


The only reason to delay in saying goodbye is because of the potential impacts. In fact, the only reason to use any particular technology is that it does something for you and the cost/benefits are within your tolerances.

If you have quantified the impacts of cutting off an older technology and you are ok with it, then there is no argument... I'm not sure what security-based argument you were hoping to experience.

As for the security argument for 1.2, I'm not sure there even is one. Looking at the RFC, there is a lot of 'cleanup' and added modes, but no attack defence.

So, is it time? Probably not. There certainly no generally compelling reason to.

Tags:

Protocols

Tls