Forum Discussion
AltostratusHow can I find what clients are using TLS 1.0
NimbostratusMay I ask why you're thinking about disabling TLS1.0 at this point? Is it your self-initiative, or is there an applicable regulation pushing you?
The point in PCI DSS 3.1 which says that TLS1.0 must not be supported is still valid, but the enforcement of the ruling was postponed by 2 years. This means the new deadline for disabling TLS1.0 is 2018 June 30 (this applies to all existing services).
Source: http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
I'd say go for it, if you feel like doing so. Just keep in mind that there will be considerable impact mainly due to IE10 users (IE10 does not support TLS1.1/1.2 with default configuration). There are also those who use IE8 and IE9 these days. You may estimate that disabling TLS1.0 today will cut off about 1.2% of customer base, out of which 0.7% are legacy IE users and another 0.5% who use another obsolete web browser. (Source: http://www.w3schools.com/browsers/browsers_explorer.asp)
Tip: If you want a decent level of security, and cut off as little customer base as possible, the best tip is to not be more restrictive than large retail banks :). None of the biggest 4 have disabled TLS1.0 at this point.
Chris_Olson_172TLS 1.0 has been upgraded to a medium vulnerability and we are scanned monthly and quarterly. The results are published and our security status has gone down due to this. On top of that, multiple clients are requesting that we move forward and get rid of TLS 1.0 since this has been known to be weak since 2013-2014. That said, we are moving forward with testing all applications to support TLS 1.2 so we can remove TLS 1.0. It's a long process and will require multiple client communications but best to stay ahead of the game.
