0bbb264c ssl report pwgsc

Don’t let the browser pass you by: keep your server up to date

Browsers are inhernently a consumer technology. As a result, they get updated frequently, for new features, for security. In 2018, the browser vendors agreed to drop support for TLS 1.0 and 1.1, in advance of an IETF recommendation update. In 2020 they followed through. TLS 1.2 is now the oldest version allowed (and it is 10 years old!). Encryption, like house guests and cheese, is not something you want sitting around too long.

Recently I had a customer complain that Internet Explorer would not work on our products. I explained that it was because I cared about their security. It don’t want to recommend a nanny state, but, there is no safe way in 2020 to use Internet Explorer. No more than there is Netscape Navigator, or NCSA Mosaic. All great products in their day. Their day is in the past, put them in the Browser museum, hoist their shirt up to the rafters, whatever you do. But, don’t use encryption or banking or active content with them today.

Imagine my surprise when I was looking up something on data protection, and am unable to read the link on the Government of Canada website. They are serving it with TLS 1.0. I am unable to open this (since Chrome 86 won’t allow it). Now, I say unable, the actual error would allow me to override. Don’t. You don’t want to get in the habit of “this is very unsafe, do you want to anyway?”. Just assume that a website that has bad encryption is a rabid skunk-porcupine hybrid carrying a rusty blade. Back away.

2ec5831e image

As for the Government of Canada… get on this.