At Fastly we believe that compliance and security are most valuable as a combined program and we have built our network as a single platform to address the overlapping areas of security and PCI compliance in a holistic manner.
Our platform provides the flexibility to address different customer traffic needs across a spectrum: plain HTTP, TLS 1.0/1.1, and TLS 1.2. At Fastly we’ve been provisioning all new customers with TLS 1.2 since early 2017 as a secure default as it provides our customers with the highest levels of protection.
TLS 1.0 has had special attention both from the security and compliance community. From a security perspective, TLS 1.0 and earlier versions have been shown to be insecure according to recommendations issued by the US government in NIST Special Publication 800-52, issued as early as April 2014. Similarly, the PCI Security Standards Council has issued a mandate for June 30th, 2018 that strongly encourages TLS 1.2.
We’ve been continuously observing our customer traffic over the past three years and tracking the usage of TLS 1.0 and 1.1 traffic coming from our customers clients. While we started with an original intention to fully deprecate TLS 1.0 as early as 2015, we’re currently reporting that about 20% of our customers in total are still relying on TLS 1.0 and TLS 1.1.
Granted, some of these percentages are small, but a small percentage on a large volume can have a big impact. What is the impact? The impact here is connectivity.
Providing breadth-of-access means that not everyone can upgrade their browser or phone, and for some users, Fastly is their gateway to web access. It’s a balance we’re trying hard to preserve and something that is central to who we are as a web enabler.
Starting today, we’re taking a different approach to our TLS deprecation. Here is what we are doing:
As always, we will continue to monitor TLS 1.0 and 1.1 vulnerabilities and may alter our plan in response to new critical vulnerabilities in early TLS. If you have any questions or would like to use TLS protocol options other than our defaults, please contact our team.