Why are some “Use TLS” and “Use SSL” options turned off?

Posted on

QUESTION :

I’m really confused — why are some of the TLS/SSL options turned off by default?

enter image description here

Is there any harm in turning them on or something?

ANSWER :

Actually, it is safer to use TLS 1.1 / 1.2, as recent reports have shown vulnerability while utilizing TLS 1.0. Source: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

As per the above report, the reason TLS 1.0 is still used because:

Chief culprits for the inertia are the Network Security Services
package used to implement SSL in Mozilla’s Firefox and Google’s Chrome
browsers, and OpenSSL, an open-source code library that millions of
websites use to deploy TLS. In something of a chicken-and-egg impasse,
neither toolkit offers recent versions of TLS, presumably because the
other one doesn’t.

“The problem is people will not improve things unless you give them a
good reason, and by a good reason I mean an exploit,” said Ivan
Ristic, Qualys’s director of engineering. “It’s terrible, isn’t it?”

While both Mozilla and the volunteers maintaining OpenSSL have yet to
implement TLS 1.2 at all, Microsoft has performed only slightly
better. Secure TLS versions are available in its Internet Explorer
browser and IIS webserver, but not by default. Opera also makes
version 1.2 available but not be default in its browser.

.

Microsoft has a Security Advisory out for a SSL vulnerability and recommends enabling TLS v1.1, there is a fixit on this page to assist in enabling it properly.

.
http://support.microsoft.com/kb/2588513

.

SSL 2.0 is unsafe.
SSL 3.0 and TLS 1.0 are most prevalent. But as Ar Sh mentioned, there are reports of vulnerability in TLS 1.0.

Since most web servers implement SSL 3.0 and TLS 1.0, most web browsers still use them and are the defaults.

IN my opinion, you can enable TLS 1.1 and 1.2 but avoid enabling SSL 2.0 as it is unsafe.

tls > 1.0 interop issues have never been fully worked out due to lack of adoption, so to be safe many vendors don’t even enable it by default when it could just be negotiated down.

Leave a Reply

Your email address will not be published.