As the PCI Security Standards Council have set a deadline for PCI compliant organisations to disable at least TLS 1.0 & preferably TLS 1.1, VIA will be disabling all standards except TLS 1.2 by 31st December 2018.
What is SSL/early TLS?
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.
What is the risk of using SSL/early TLS?
There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.
According to NIST (National Institute of Standards and Technology), there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
How does this affect me?
Older versions of Skype for Business/Lync use TLS 1.0 and 1.1, so all users will need to ensure clients are updated to the latest version in order to ensure a secure and reliable service.
Windows 7 supports TLS 1.1 and TLS 1.2 but these protocol versions are not enabled by default. On Windows 8 and higher these protocol are enabled by default.
From 1st June 2018 VIA will have a test environment set up, so if you have any concerns about upgrading and would like to test with a few users, please log a support ticket on https://support.via.co.uk and provide test user details.
Fully tested and supported Clients:
- Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher
- Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher, including Basic
- Skype for Business 2016 Click to Run Require the April 2018 Updates:
- Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
- Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
- Skype for Business on Mac 16.15 and higher
- Skype for Business for iOS and Android 6.19 and higher