Microsoft backs off on TLS 2.0 only plan for Azure DevOps

By Team Devclass
-
Microsoft backs off on TLS 2.0 only plan for Azure DevOps

Microsoft has hit reverse on its plan to drop support for TLS 1.0 and TLS 1.1 in its Azure DevOps Service at the end of this month.

The cloud giant’s principal programme manager for Azure DevOps, Justin Chung, had announced on February 27 that it would require customers using its Azure DevOps service to use TLS 1.2 as of March 31. 

The shift was down to “the potential for future protocol downgrade attacks and other Transport Layer Security (TLS) protocol versions 1.0 and 1.1 vulnerabilities not specific to Microsoft’s implementation”. The statement added the move was “per Microsoft’s position to protect against cryptographic attacks.”

The vendor was confident this would not have much impact on its users, saying “Approximately 95% of connections made to Azure DevOps Services use TLS 1.2 and will not be affected. This includes currently-shipping clients used by Azure DevOps users.” 

Some connections based on the older protocols were made by default “based on client configuration or OS version used. Most commonly, this includes clients built using older versions of the .NET Framework, as well as clients built on operating systems bundled with an older version of Windows, macOS and Linux.”

Well those 5 per cent of connections must have been made by someone with some heft, as the company announced it was scrapping the plan.

On a blog post announcing the reverse ferret, Chung wrote: “Based on early feedback from some customers, we are postponing the disabling of TLS 1.0 and TLS 1.1 until further notice.”

TLS 1.2 would remain the recommended protocol for connecting to Azure DevOps, he continued, but “We have decided to continue maintaining support for older versions of TLS for now.” Needless to say, two planned periods of non-TLS 1.0/1.1 support on March 10 drill are now cancelled as well.

While the move is clearly welcome for users, it seems to leave Azure DevOps out of sync with some other Microsoft services. Office 365 deprecated 1.0 and 1.1 support for some users in January, with the remainder due to lose 1.0 and 1.1 support in June.

The end of March was pegged as an industry wide deadline to drop support for older implementations of TLS. However, Cisco’s Umbrella security service last month said it would extend support, at least until September, in its roaming client versions that require the older protocols.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Docker introduces Build Cloud for accelerated local development
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation