The Cloud Leads the Way to Disable TLS 1.0/1.1–Goodbye Lync Phone Edition
Microsoft announced that they will be turning off TLS 1.0 and 1.1 encryption on Office 365 on 31st October 2018. This should not come as a shock surprise to anyone after the POODLE and BEAST vulnerabilities exposed throughout 2011 and 2014. But what does that mean for you and your devices?
From a Skype world perspective, it means that your Lync Phone Edition devices, the CX3000 and CX500/600 phones will no longer register with Skype for Business Online on 1st Nov 2018. There is no workaround, there is no workaround or firmware update coming, the devices will simply stop working and will be useless to you. Initially a lot of people may gasp in disbelief that they have to replace their estate with new 3PIP phones. But in reality these LPE devices are now pushing 9 to 10 years old. They are really at the end of their functional working life and any smart business with a refresh program should already be well on their way with replacement to more modern devices.
This only affects devices registered to Skype for Business Online. If you are an on-prem consumer of Server and the account is hosted on-prem and you haven’t disabled TLS 1.0 and 1.1, these devices will continue to work for you. But should you be following the Cloud’s lead and disabling TLS 1.0 and 1.1 on-prem too?
The answer at the moment is probably not. Unless there has been an update in the latest Server CU and I haven’t checked this out, if you disable TLS 1.0 and 1.2 on-prem today, then you’re going to get back-end SQL replication problems as this relies on 1.1 and 1.2 is not supported. So for the mean time at least, on-prem is stuck with TLS 1.0 and 1.1.
But why are we moving away from 1.0 and 1.1?
So POODLE man-in-the-middle attack exposed a vulnerability to impersonate the server in a client to server communication in SSL v3.0 and watch in plaintext the exchanges between client and server. Although this predominately an SSL v3.0 vulnerability some TLS 1.0/1.1 clients are also at risk if they accept incorrect padding structure after decryption.
BEAST is a know MiTM attack similar to POODLE that exposes a vulnerability in the implementation of the Cipher Blocking Chain mode in TLS 1.0 protocol. This is a plaintext attack that is generated client side that injects packets into the TLS stream to guess the initialization vector. This was a common browser based attack.
There are more vulnerabilities in these protocols that have led to NIST declaring that these protocols are no longer approved for protecting information. And this is the reason why TLS 1.0 and 1.1 is being disabled for Office 365. As Office 365 is certified by various compliance standards, of which PCI is one, PCI compliance states that TLS 1.0 and 1.1 are no longer acceptable protocols to secure transmission of data between cloud and client.
Again this change is affecting all of Office 365, of which LPE is just one affected service. It doesn’t mean that your on-prem environment has to stop supporting legacy protocols, just that communication between your devices and Office 365 has to use TLS 1.2.
If you have Windows 7 devices in your environment, these will not support TLS 1.2 by default. Instead the protocol is disabled. You will need to ensure that the protocol is enabled on these devices in preparation for the date, it they are to continue to communicate with Office 365. You can download and apply this update for your clients: https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
This change does mean that Office 365 from Nov 1st will no longer support Windows Vista as Vista does not support (in fact I am not even sure it ever did!) TLS 1.1 or 1.2! Shock horror, the world is going to dissolve! If you really have Vista out there, please update, or preferably, throw said PC in the bin and purchase a Windows 10 machine!
Windows 8.0/ 8.1 , Server 2012, Windows 10 and Server 2016 all use TLS 1.2 by default, so there are no changes needed to these Operating Systems in preparation for the disablement of TLS 1.0/1.1 in Office 365.
If you are using Android 4.3 clients or older (Jelly Bean) then Office 365 apps will no longer work post 31st October. You’ll need to update your mobile OS or purchase a new device. More worringly for businesses will be if you are running Internet Explorer version 8 through to 10 on Windows 7, you’ll need to update to Internet Explorer 11 to gain access to web services provided by Office 365.
If you have an Apple running OSX 10.8.4 or earlier of Safari 6.0.4 you too will also need to upgrade, or buy a proper computer 🙂
If you use ADFS for SSO with Office 365, you will need to ensure that your ADFS farm supports TLS 1.2. More information on how to check / do this can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale