Microsoft Azure DevOps revives TLS 1.0/1.1 with rollback
Planned deprecation didn't go as planned, cloud biz aims to try again at the end of March
Microsoft's Azure DevOps team has undone the deprecation of outdated Transport Layer Security (TLS) that occurred at the end of January because of unspecified "unexpected issues" that arose following the change.
Last November, Rajesh Ramamurthy, director of product management for Azure DevOps, announced plans to phase out support for TLS 1.0/1.1 because of the risk of protocol downgrade attacks and other TLS vulnerabilities outside Microsoft's control.
TLS downgrade attacks aim to turn strong, more recent versions of TLS into weaker, earlier versions of the protocol to facilitate further exploitation. Some have jolly names like POODLE (Padding Oracle On Downgraded Legacy Encryption) [PDF] and SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes); others aim to be a bit more alarming with monikers like FREAK (factoring RSA export keys) and Logjam.
Azure DevOps services stopped accepting TLS 1.0/1.1 connections, and at a minimum required TLS 1.2, as of January 31, 2022. This applied to all HTTPS connections to Azure DevOps Services, including web API and git connections to
https://orgname.visualstudio.com. It did not affect users of the self-hosted Azure DevOps Server.
- Moscow to issue HTTPS certs to Russian websites
- Alert: Let's Encrypt to revoke about 2 million HTTPS certificates in two days
- Microsoft starts 2022 with big bundle fixes for 96 security bugs in its software
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption
But things did not go entirely as planned and TLS 1.0/1.1 is back for another week or so, for customers connecting over IPv4 endpoints. If you're connecting over IPv6, TLS 1.2 is already enforced as a minimum requirement.
Mark Graham, product manager for Azure DevOps Platform, provided no details beyond citing "unexpected issues," which pretty much covers the gamut of possibilities.
Fortunately, relatively few Azure DevOps users are likely to be affected by this hiccup.
"We anticipate minimal impacts to our customers as more than 99.5 per cent of connections made to Azure DevOps Services already use TLS 1.2," said Graham in a blog post. "Clients have TLS 1.2-compatibility issues because of obsolete OS versions or if available updates are not applied (applies for all Windows, macOS and Linux) or legacy .NET Framework installation or OS configuration prohibiting certain TLS cipher suites."
Microsoft's next attempt to shut down TLS 1.0/1.1 for Azure DevOps is scheduled for March 31, 2022.
Prior to that date, there will be dress-rehearsals that consist of 12-hour test shutdowns of TLS 1.1/1.0 on March 22, 2022, from 09:00 to 21:00 UTC, for
https://orgname.visualstudio.com. Then two days later, on March 24, 2022,
https://dev.azure.com/orgname will turn off TLS 1.1/1.0 to test for software that fails with TLS 1.2.
Following these tests, the outdated TLS versions will be re-enabled until the end of the month when, barring unexpected issues, the deprecation will be complete.
At that point, everything will be secure ever after. No, not really. Things will just be incrementally more secure at Azure DevOps.
"We apologize for any disruption this may cause and appreciate your support to improve our security posture," said Graham. ®