Prevent security risks related to out-of-date security protocols
To make sure no site content is modified or intercepted en route, HTTPS protocol is used (this is currently a must; using HTTP, insecure version, is strongly discouraged).
Different versions of the Transport Layer Security protocol, known as TLS, can be used to provide the mentioned secure data exchange. TLS 1.0 and TLS 1.1 are now considered legacy protocols and have long since been removed from normal support in major browsers, so public websites should support TLS 1.2 or TLS 1.3.
This change is no longer upcoming: modern browser versions have already deprecated or removed TLS 1.0 and TLS 1.1 support by default. In practice, if a website still depends on those protocols, it should be treated as outdated and at risk of being inaccessible to normal users.
Simple TLS versions support check
IPNetwork provides custom monitors (“Script or Program”, “Python script” and “Script over SSH” monitor types), which can be used to check for the supported TLS versions.
The below command line can be used in Unix-like environment to check for TLS version support:
echo "QUIT" | openssl s_client -connect example.com:443 -tls1_3 2>/dev/null | grep 'Cipher is' | grep -v NONE | wc -l
(the above will return performance value of 1, if protocol version is supported by the site, and 0 otherwise)
The first partameter in bold is a site’s domain name. The second parameter in bold refers to TLS version. The below table can be used as a practical reference for public websites today. In most cases, TLS 1.0 and TLS 1.1 should not be accepted. TLS 1.2 should be accepted. TLS 1.3 is recommended and widely supported in modern environments, but whether it is mandatory depends on your own compatibility policy.
| Parameter | Value |
|---|---|
| -tls1 | 0 |
| -tls1_1 | 0 |
| -tls1_2 | 1 |
| -tls1_3 | 1 |
Time-based checks
The above checks, by themselves, are not very informative. You might need to set a deadline, after which the monitors should switch to “Down” state, in case the corresponding performance value still aren’t returned. Contact us if you need to use time-based checks for appropriate TLS version of site(s) in question, we will provide you with a corresponding script.
If no changes are applied
If no changes are applied, the practical result today is simple: websites that do not support TLS 1.2 or newer are already outside normal browser compatibility and represent an obvious security and availability risk.
Using outdated browsers is not a real solution. Browsers themselves are security-sensitive software, and asking users to fall back to older versions only shifts the risk instead of fixing the server configuration.
If you use another means of checking sites’ security state, please contact us.