was successfully added to your cart.

Encryption Changes to Office 365 are Here!

Background

In December Microsoft announced changes to the types of encryption supported for accessing Office 365 services. The original announcement is attached below. Those changes begin today, Thursday, February 28

How does this affect me?

There are two primary areas of potential impact to users: browsers used to access the Office portal and web applications and at the operating system level on your computer.

To ensure no interruptions, verify that TLS 1.2 is enabled on any devices and browsers one uses to access Office 365 apps. The changes will impact access to Office 365 apps using TLS 1.0/1.1/SSL 3.0 (aka “SSL and Early TLS” per the PCI council).

TLS Support & Configuration: Windows Operating System

Windows 8.1 (or later): Enabled by Default
Server 2016 (or later): Enabled by Default
Windows 8: Disabled by Default (but fully supported)
Server 2012 r2: Disabled by Default (but fully supported)
Windows 7 (and older): Update Required!
Server 2012 (and older): Update Required!
How do I enable TLS 1.2 if Windows supports it?

To enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows, just check the associated box via this directive from Microsoft.

How do I update Windows if it doesn't already support TLS 1.2?

Either check the list of installed updates on your system or download and run the update from the Office 365 Message Center (ID: MC171089)**. If it is already installed it will say so.

For enterprise environments do a scan from your software update solution for devices missing the update and deploy it as soon as possible.

To analyze and change configurations on a single computer, QuickBooks provides a simple TLS 1.2 Readiness Tool if you prefer a shortcut for checking and configuring personal devices. The tool will assess the computer it is run on and make any necessary changes for you.

Additionally, Nartac Software provides a free crypto tool that is handy for managing settings across multiple devices: Nartac IIS Crypto.

** That link requires a login, so here’s an image of the message if you just want to take a quick peek.

TLS Support & Configuration: Web Browser

Internet Explorer, Edge, Chrome and Opera
These browsers all use the built-in ‘Internet Options’ dialog, making things pretty straightforward.

  1. Open Internet Explorer and click on the Tools button, then Internet Options
    (alternatively, just open Control Panel and launch the Internet Options applet)
  2. Click on the Advanced tab
  3. Scroll down to the Security section and confirm the following settings:

CHECK: Use TLS 1.2
CHECK: Use TLS 1.1
UNCHECK: Use SSL 2.0
UNCHECK: Use SSL 3.0
UNCHECK: Use TLS 1.0

Firefox
Our friends at digicert put together a nice white paper showing screenshots of all of the browsers mentioned here so pop over to the document for Firefox instructions.

Note: security.tls.version.min defaults to 1 which is TLS 1.0. Set the minimum to 2 for TLS 1.1 and the maximum to 4 which is TLS 1.3 (see note about TLS 1.3 later in this post).

Safari
TLS 1.1 and TLS 1.2 are automatically enabled on Safari version 7 or greater. There are no configurable settings for this.

Are there any risks making the needed changes?

As always, please follow due diligence if working with customers or business systems on this issue and be sure a proper test process is in place and that all SSL/Early TLS client-server connections have been investigated and requisite remediations implemented before making wide-spread changes. These may involve configurations at the middleware, web server, or application server level. For enterprise customers a PCI scan with their PCI application or appliance should they have one will provide a comprehensive list of SSL/TLS connections to application servers, domain controllers and so on. However, the deadline for PCI compliance on this issue was June 30, 2018 so they may well have already gone through this exercise.

The Office 365 article reference earlier details how to obtain a list of connections to the O365 tenant that may be impacted once the changes described in the notification are implemented.

Here’s an example of typical output. It’s delivered as a tab-delimited file. I’ve redacted the emails from my sample, but I think you’ll get the idea.

Where can I find interesting trivia about the history of TLS/SSL?

So glad you asked!

Here is a table showing the evolution of SSL/TLS: https://tlsversions.com
Here is a pretty good write-up on the differences in the protocols and their history. https://www.wolfssl.com/differences-between-ssl-and-tls-protocol-versions
Note the date on the 2nd article is 2010…things haven’t changed in a decade since TLS 1.2 was introduced in 2008. TLS 1.3 was approved for use by the IETF early 2018 and will be coming into play more and more.

Fun Fact: SSL (Secure Sockets Layer) was developed by Netscape in the mid-90s and SSL was renamed to TLS in 1999 by the IETF


Subscribe to our mailing list

* indicates required