TLS Must Stand For Totally Lacking Security

Posted on Friday, Sep 15, 2023 by Ned Bellavance

Featured in this episode of Tech News of the Week

The current version of TLS is 1.3, published in 2018. Its predecessor, 1.2, was released a full decade before that. TLS 1.1 was in 2006. If it’s striking that 1.2 came out so quickly after 1.1, that’s because 1.2 fixed a lot of potential issues with 1.1.

TLS 1.0 and 1.1 are now considered effectively insecure, and all the major browsers have stopped supporting it since 2020. But there’s still some applications, particularly Microsoft ones, that use 1.1 or 1.0 by default, and depending on their age, might not have a 1.2 option.

The thing about enterprise software is that no one likes to upgrade it if the thing is doing its job and doesn’t break. Thus is the case with a frankly embarrassing number of SQL Server 2012, 2014 and 2016 editions.

Starting in September, Microsoft will be disabling the use of TLS 1.0 and 1.1 on Windows machines. There is a non-zero chance that the update will break something in your corporate environment, so if you’ve been putting off patching those old SQL servers in the corner, might be time to show them a little love.

Or yell at Jeff the DBA to do it. Just threaten to stop supplying him with Muscle Milk if he fails to comply. Yes Jeff, we know all about your little addiction.