Content, Security Program Controls/Technologies, Encryption

TLS 1.0 Encryption Protocol Nears End of Life; IBM Cloud Says Goodbye

IBM SoftLayer cloud application programming interfaces (APIs) will no longer accept connections encrypted with TLS 1.0, a cryptographic protocol that provides privacy and data integrity between two communicating apps. The mandate will take effect on August 8, 2017, according to The Register.

Previously, IBM ended TLS 1.0 support for its Watson Internet of Things (IoT) Platform on May 30. At that time, IBM stated it made the decision to disable TLS 1.0 support to align with best practices for security and data integrity.

"Over time security protocols improve and older ones are found to have weaknesses," IBM said in a prepared statement. "We want to ensure that you have a secure solution and that's why we're withdrawing support for the older TLS version."

In addition to IBM SoftLayer APIs and the Watson IoT Platform, Salesforce last month disabled TLS 1.0 support for its services. Salesforce now requires TLS 1.1 and later encryption protocol "to maintain the highest security standards and promote the safety of customer data," the company said in a prepared statement.

Furthermore, the PCI Security Standards Council will disable TLS 1.0 support on June 30, 2018. The council also will require a more secure encryption protocol for organizations to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

Originally released in January 1999, TLS 1.0 is the most widely deployed security protocol and leverages encryption and endpoint identity verification to ensure a secure connection to a remote endpoint, according to IBM. It is used for web browsers and other apps that require data to be securely exchanged over a network, IBM stated.

Meanwhile, the BEAST vulnerability raised questions about TLS 1.0's effectiveness.

BEAST was discovered in September 2011 and affected TLS 1.0 only, according to cloud security company Qualys. The vulnerability enabled cybercriminals to launch attacks to decrypt and obtain authentication tokens and gain access to data passed between a web server and web browser accessing the server.

Following BEAST's discovery, developers of Google Chrome and other major web browsers began to create workarounds for mitigating the risk of BEAST attacks.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.