Early TLS at Fastly
At Fastly we believe that compliance and security are most valuable as a combined program and we have built our network as a single platform to address the overlapping areas of security and PCI compliance in a holistic manner.
Our platform provides the flexibility to address different customer traffic needs across a spectrum: plain HTTP, TLS 1.0/1.1, and TLS 1.2. At Fastly we’ve been provisioning all new customers with TLS 1.2 since early 2017 as a secure default as it provides our customers with the highest levels of protection.
TLS 1.0 has had special attention both from the security and compliance community. From a security perspective, TLS 1.0 and earlier versions have been shown to be insecure according to recommendations issued by the US government in NIST Special Publication 800-52, issued as early as April 2014. Similarly, the PCI Security Standards Council has issued a mandate for June 30th, 2018 that strongly encourages TLS 1.2.
We’ve been continuously observing our customer traffic over the past three years and tracking the usage of TLS 1.0 and 1.1 traffic coming from our customers clients. While we started with an original intention to fully deprecate TLS 1.0 as early as 2015, we’re currently reporting that about 20% of our customers in total are still relying on TLS 1.0 and TLS 1.1.
Granted, some of these percentages are small, but a small percentage on a large volume can have a big impact. What is the impact? The impact here is connectivity.
Providing breadth-of-access means that not everyone can upgrade their browser or phone, and for some users, Fastly is their gateway to web access. It’s a balance we’re trying hard to preserve and something that is central to who we are as a web enabler.
What We’re Doing
Starting today, we’re taking a different approach to our TLS deprecation. Here is what we are doing:
All of Fastly customers who purchased and rely on our PCI and HIPAA compliance features as well as the Fastly API and web interface will be required to meet the PCI Council mandate of June 30th, 2018 for ending support of TLS 1.0.
We continue to operate a single platform that is PCI DSS compliant that meets the needs of our customers who rely on our PCI and HIPAA compliance features.
Customers who are not relying on our compliance products (PCI & HIPAA) will not be forced off TLS 1.0 and 1.1 on June 30th, 2018.
We’ll continue to make TLS 1.2 or greater our default version for all new Fastly customers and continue to look for ways to encourage our customers to move away from early TLS.
As always, we will continue to monitor TLS 1.0 and 1.1 vulnerabilities and may alter our plan in response to new critical vulnerabilities in early TLS. If you have any questions or would like to use TLS protocol options other than our defaults, please contact our team.