Last year, we announced our deprecation plan for TLS 1.0 and 1.1 with a timeline that was driven by the PCI DSS v3.1 standard. Since our original post, the PCI Security Standards Council has updated their guidance and now will not require full deprecation of TLS 1.0 and 1.1 until June 30th, 2018. Because approximately 14% of the TLS traffic on the Fastly network runs on protocols that would be affected by this change, we are revising our deprecation schedule to institute a phased approach and to give our customers more control over the TLS protocols supported within their environments. This will help ensure your ongoing security and that of your customers.
Here is our revised schedule for deprecating TLS 1.0 and 1.1:
By June 30, 2016, we will provide a way for customers who wish to enforce stricter security standards to migrate to hosts that only allow the use of TLS 1.2 for encrypted communication. The Fastly network will default to supporting all versions of the TLS protocol.
On January 9, 2017, our entire network will default to only allowing TLS 1.2 for encrypted communication; however, we will provide a way for customers who still require TLS 1.0 and 1.1 to migrate to hosts that support it.
As of January 9, 2017, the Fastly app and API will only support TLS 1.2.
On June 30, 2018, in accordance with the revised deadline published by the PCI Security Standards Council, we will disable all support for TLS 1.0 and 1.1.
In addition, we will continue to monitor the state of attacks on TLS 1.0 and 1.1 and will adapt our timeline as required to mitigate protocol-level vulnerabilities.
If you have any questions or would like to use TLS protocol options other than those enforced by our network defaults, please contact our team. We’ll keep you updated when the option to use non-default protocols is available.