Article

The End is Near: After decades, TLS 1.0 & 1.1 go end-of-life in March

The world of computing was very different in 1999. U.S. online retail sales totaled $15B according to the Department of Commerce, but online worldwide sales figures were not yet tracked on a global basis. In 2019 online retail sales topped $3.5T – that’s trillion with a T – around the world.

1999 was also the year the Transport Layer Security (TLS) 1.0 protocol was adopted to make online computing and transactions more secure. TLS 1.1 followed in 2006. While TLS 1.2 and 1.3 are the current standards, TLS 1.0 & 1.1 are still in use but non-compliant. Both are being deprecated on March 31, 2020.

Organizations must move to TLS 1.2 or 1.3 by that date or find themselves unable to complete web transactions using browsers from Microsoft, Google, Apple, Mozilla, or other common browsers. The PCI Standards Council has required members to upgrade to TLS 1.2 since 2018, but the use of the previous TLS versions remains higher than expected.

With compliance at risk and the major tech companies forcing an upgrade, why do organizations find it difficult to make the switch to a more secure technology? That’s simple: It’s costly and complex to rewrite enterprise software.

Recompiling an application or migrating to newer platforms is not possible in many cases. It’s certainly not scalable in enterprise environments where thousands of applications are deployed on all possible versions of Java and .NET platforms.

Waratek’s agent-based Upgrade solution allows legacy applications to use the latest TLS protocols and cipher suites without the need to recompile their source code or migrate to a newer runtime. For example, legacy Java versions (such as Java 6, 7 or 8) run as guest JREs inside a host JVM.

With this feature enabled, the application no longer uses its own out-of-date TLS protocols, but rather offloads this functionality to the most current and patched host JVM. Deploying Waratek Upgrade helps enterprises become instantly compliant with the latest TLS standards.

Applications are also automatically protected against common cryptographic vulnerabilities such as “Use of a Broken or Risky Cryptographic Algorithm” (CWE-327) and “Inadequate Encryption Strength” (CWE-326).

To learn more about how Waratek can help you achieve TLS compliance and improve your overall security posture, visit Waratek.com or contact us at +1 770 720 1678.

John Matthew Holt is the Founder & CTO of Waratek.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.