Make sure your Web servers support modern security protocols

Make sure your Web servers support modern security protocols

Prevent security risks related to out-of-date security protocols

Rusty lock

To make sure no site content is modified or intercepted en route, HTTPS protocol is used (this is currently a must; using HTTP, insecure version, is strongly discouraged).

Different versions of so called “transport security layer” protocol, known as TLS, can be used to provide the mentioned secure data exchange. Until recently, TLS v1.0 (introduced in 1999) and TLS v1.1 (introduced in 2006) were in use, but big browsers developers announced that support for both mentioned older TLS versions will be discontinued in 2020.

This is already happening: the latest Firefox version (at the moment of writing this document, version 74) has disabled TLS v1.0/v1.1 support (but still allows enabling the support explicitly). In the upcoming major versions, the support will be dropped entirely. Other browsers will soon follow.

Simple TLS versions support check

IPHost provides custom monitors (“Script or Program”, “Python script” and “Script over SSH” monitor types), which can be used to check for the supported TLS versions.

The below command line can be used in Unix-like environment to check for TLS version support:

echo "QUIT" | openssl s_client -connect example.com:443 -tls1_3 2>/dev/null | grep 'Cipher is' | grep -v NONE | wc -l

(the above will return performance value of 1, if protocol version is supported by the site, and 0 otherwise)

The first partameter in bold is a site’s domain name. The second parameter in bold refers to TLS version. The below table can be used as reference, which values should be expected for which parameters:

Parameter Value
-tls1 0
-tls1_1 0
-tls1_2 1
-tls1_3 1

Note that support of TLS v1.3 is still not widely provided, even though the latest TLS version is significantly faster, apart from supporting modern cryptography ciphers.

Time-based checks

The above checks, by themselves, are not very informative. You might need to set a deadline, after which the monitors should switch to “Down” state, in case the corresponding performance value still aren’t returned. Contact us if you need to use time-based checks for appropriate TLS version of site(s) in question, we will provide you with a corresponding script.

If no changes are applied

Starting March 12-th, sites still not supporting TLS v1.2 or higher may be inaccessible from the latest Firefox version. Starting from April, they won’t be reachable via Google Chrome, as well.

Using out-of-date browsers version isn’t a good idea: browsers may have flaws, including possible security issues. Apart from that, visitors may start using the latest browsers already and thus may become locked out of the sites.

If you use another means of checking sites’ security state, please contact us or leave a comment below.