Update (2020-02-13): This change was completed last night on the Fastly side. Most of our endpoints now have TLS 1.0 and 1.1 disabled. We’ll be addressing our direct load balancers next.
Update (2020-02-25): This change was applied to our load balancers directly - TLS 1.0 and 1.1 are now disabled for all Stack Exchange properties.
As part of our regular efforts to increase security and keep up with the times, we will be disabling TLS 1.0 and 1.1 for Stack Exchange services on February 12th, 2020. TLS 1.2 and above will continue to work. Note: this will not immediately affect all services. Some of our services are handled via Fastly, and some at our load balancers directly - this change will not affect both segments at once. Things like Q&A, Talent, etc. flow through Fastly and will be the first affected. Things that are direct, like Chat and our API, will not be affected immediately.
Why?
Most browsers and operating systems moved to TLS 1.2 quite a while ago now (for example, we don't support Windows XP...and neither does Microsoft). We held out for as many clients as possible to move over, but now it's time to make the change. If you're curious what the vulnerabilities are in TLS 1.0 and 1.1, there's a good writeup here. We've been monitoring traffic levels over the past few months and we are now at HTTPS stats of:
- TLS 1.0: 0.6%
- TLS 1.1: 0.0%
- TLS 1.2: 99.4%
Additionally, it looks like the vast majority of the TLS 1.0 traffic is bots (and/or sends no user agent at all) - our estimate is that 'not a robot' requests account for less than a third of that 0.6%.
As an example of the industry moving on here, our current SSL Labs rating is a B. This is purely because of remaining TLS < 1.2 support that we plan to remove here. (Update: we are now at an A+ rating.)
If anyone has questions, please feel free to comment or answer below and we'll try and keep up.
