Microsoft backs off on TLS 2.0 only plan for Azure DevOps

Microsoft backs off on TLS 2.0 only plan for Azure DevOps

Microsoft has hit reverse on its plan to drop support for TLS 1.0 and TLS 1.1 in its Azure DevOps Service at the end of this month.

The cloud giant’s principal programme manager for Azure DevOps, Justin Chung, had announced on February 27 that it would require customers using its Azure DevOps service to use TLS 1.2 as of March 31. 

The shift was down to “the potential for future protocol downgrade attacks and other Transport Layer Security (TLS) protocol versions 1.0 and 1.1 vulnerabilities not specific to Microsoft’s implementation”. The statement added the move was “per Microsoft’s position to protect against cryptographic attacks.”

The vendor was confident this would not have much impact on its users, saying “Approximately 95% of connections made to Azure DevOps Services use TLS 1.2 and will not be affected. This includes currently-shipping clients used by Azure DevOps users.” 

Some connections based on the older protocols were made by default “based on client configuration or OS version used. Most commonly, this includes clients built using older versions of the .NET Framework, as well as clients built on operating systems bundled with an older version of Windows, macOS and Linux.”

Well those 5 per cent of connections must have been made by someone with some heft, as the company announced it was scrapping the plan.

On a blog post announcing the reverse ferret, Chung wrote: “Based on early feedback from some customers, we are postponing the disabling of TLS 1.0 and TLS 1.1 until further notice.”

TLS 1.2 would remain the recommended protocol for connecting to Azure DevOps, he continued, but “We have decided to continue maintaining support for older versions of TLS for now.” Needless to say, two planned periods of non-TLS 1.0/1.1 support on March 10 drill are now cancelled as well.

While the move is clearly welcome for users, it seems to leave Azure DevOps out of sync with some other Microsoft services. Office 365 deprecated 1.0 and 1.1 support for some users in January, with the remainder due to lose 1.0 and 1.1 support in June.

The end of March was pegged as an industry wide deadline to drop support for older implementations of TLS. However, Cisco’s Umbrella security service last month said it would extend support, at least until September, in its roaming client versions that require the older protocols.