Upcoming change: deprecation of CBC TLS ciphers

Netlify is a proud sponsor of Let’s Encrypt, and were the first web hosting company to automate free SSL via their service. We love this project and we love serving your content securely so much that we now serve all requests to our service via TLS (commonly referred to as SSL or HTTPS). Since keeping your traffic secure is a high priority for us, we have some upcoming changes to our certificates that will impact very old browsers. Please note that this is not the change that Let’s Encrypt themselves announced recently, for which we intend to extend compatibility until September 2021. You can read more about that separate change in this article.

Netlify currently supports two TLS ciphersuites that are considered weak (easier to crack):

We are making plans to drop support for these ciphers so we can ensure adequate security for all our customers.

Support for these ciphers was dropped on April 5th for all sites not hosted on our High-Performance Edge product.

Support for these ciphers will be dropped no later than June 15th for all sites hosted on our High-Performance Edge product.

We have worked with customers using the High-Performance Edge to make sure that the impact to them is as small as possible.

Making this change can lead to browsers no longer being able to visit websites if those browsers don’t support any of the more secure ciphers. The specific operating systems most impacted are:

  • Windows 7 (when using Internet Explorer 11)
  • macOS 10.10 (Yosemite) and below

Our data shows that less than 0.05% of the traffic Netlify handles will be impacted by this deprecation. It is very unlikely that organic and legitimate users will be impacted.

How to minimize impact even more?

IE 11 on Windows 7 supports a newer, secure cipher if used with an ECDSA certificate instead of an RSA certificate.

We have already started issuing ECDSA certificates for all sites that use a Let’s Encrypt certificate. That process is still ongoing and will be complete once all certificates have been renewed as part of the regular renewal timeline. This change also results in faster TLS handshakes since ECDSA certs are smaller and allow for more efficient encryption.

If you use a custom certificate, not issued by LetsEncrypt via Netlify, you can buy your own ECDSA certificate from a number of issuers and upload it in the Netlify UI assuming that it is not an ECDSA certificate already. This way, we would be able to still serve your users that use IE 11 on Win 7.

Queries, concerns?

If you have any hesitations about this upcoming change, please feel free to create a topic here in the forums and we’ll be happy to talk more.

6 Likes

A quick update on this upcoming change – if you want to beat the curve and adopt an ECDSA certificate today, you can renew your certificate from the Netlify UI now.

This functionality is always available but new certificates which we are issuing are ECDSA.

https://app.netlify.com/sites/[sitename]/settings/domain#ssl-tls-certificate

1 Like