IBM has turned known-to-be-insecure TLS 1.0 back on in its cloud.
IBM only turned TLS 1.0 off on Tuesday, citing the usual and sound reasons that the encryption protocol is old and weak.
But the company appears to have botched the job of telling users about the change, as an email sent to Bluemix customers and received by The Register says “Advance notification of this change had been sent out, but not enough lead time was given to allow all customers to migrate off reliance on TLS 1.0. This removal of this support caused issues with code reliant on that support.”
“This problem has been mitigated by restoring support for TLS 1.0 encryption protocol in the IBM Cloud API endpoint. We will work with customers to ensure there is sufficient lead time notice to enable them to be prepared for this change.”
A kind assessment of this turn of events would point out that IBM's cloud is agile enough that it can remove and add crypto protocols every couple of days.
A cynic might say that irritating customers with a rapid change is an odd way to run a cloud and perhaps explains why IBM's CIO wanted to jump ship for a gig at AWS, or why Big Blue is frantically building a next-gen cloud to get beyond its self-confessed status as a mere “hosting-scale provider”. ®