Security: In the light of TLS 1.3, is it necessary to support TLS 1.2?

I recently overheard some users asking about limiting support to TLS 1.3 because it’s a better standard for security. No doubt it is, but in my opinion, if your websites or web services are targeting a global audience, continuing to support TLS 1.2 is a fair and pragmatic choice. TLS 1.3-only policies are safe when the audience is highly targeted and known—such as employees within an organization.

Older devices and browsers may still rely on TLS 1.2, and by supporting it, you ensure wider compatibility without sacrificing security. TLS 1.2 remains secure as long as it uses modern ciphers like AES or GCM. By deprecating weak ciphers and enforcing strong configurations, you can still avoid vulnerabilities.

Of course, when providing support for TLS 1.2, it’s important to follow a strict security policy:

  1. TLS 1.3 must be supported in the security configuration.
  2. TLS 1.0 and TLS 1.1 should not be supported, as they are considered insecure.

A DevOps friend of mine pointed out that major services like AWS recommend TLS 1.2 support by default. For example, CloudFront does not currently offer a TLS 1.3-only security policy, as stated in AWS Documentation.

For an in-depth analysis of an SSL configuration for a domain, you can use this free online service: https://www.ssllabs.com/ssltest/

Comments

Post a Comment

Popular posts from this blog

Words: You Aren't Gonna Need It (YAGNI)

Another daily muse. It’s not surprising that our technical team continues to discover unused functions within a particular feature library. Although the names of these functions may sound promising, the logic inside is often outdated, as they haven’t been refactored to align with the current context of the feature. Some of these functions were written ages ago. This is where I need to borrow a concept from my university days, when my mates and I often applied Extreme Programming (XP) principles in our software projects. The core idea: Don’t add functionality until it’s actually needed. This is essentially the You Aren't Gonna Need It (YAGNI) philosophy. To quote Ron Jeffries, a co-founder of XP, as taken from Wikipedia: "Always implement things when you actually need them, never when you just foresee that you [will] need them."
Read more

Words: Domain-Driven Development

Today, I stumbled upon a simple read on Reddit that serves as a reminder for both new and seasoned programmers about the importance of Domain-Driven Development (DDD). The post shared this article by Google: Write Change-Resilient Code with Domain-Driven Design . While it just touches on DDD, it's good enough to raise awareness. In case DDD is new to you, here’s a brief description from Wikipedia: Domain-Driven Development is a major software design approach that focuses on modeling software to match a domain based on input from that domain’s experts. DDD opposes the idea of having a single, unified model. Instead, it divides a large system into bounded contexts, each with its own model. For a more in-depth exploration of DDD, here are some useful articles: DDD 101: The 5-Minute Tour Domain-Driven Design (DDD) From my perspective, the DDD concept allows for simpler collaboration between technical teams and domain experts through the use of a consistent language. It also reduces th...
Read more

Finds: "Microservices vs. Monoliths" - A Reddit Discussion

Here’s another interesting discussion I stumbled upon on Reddit. The debate between "Microservices vs. Monoliths" is a frequent one, but in my opinion, the context matters—both approaches have their own merits depending on the situation. I plan to write a more in-depth entry on this topic in the near future. Enjoy reading:  Microservices vs. Monoliths: Why Startups Are Getting "Nano-Services" All Wrong
Read more