Is it ok to disable TLS 1.0/1.1 at origin server and not CDN?

I need to disable TLS 1.0 and 1.1 for my company’s websites. At the moment we are unable to disable this at the CDN level (needs some extra changes that we are not ready to implement yet)… Because we are still testing the after effects, we may delay this and implement this block only on our local web servers instead.

My question is, if we disable TLS 1.0/1.1 on our local web server but keep TLS 1.0/1.1 enabled on the CDN side, does this cause a security risk? The CDN would then be the weakest link, would that matter since our local web server will have this disabled?

If you keep TLS 1.0/1.1 enabled on Cloudflare, this will only affect the connection between the end-clients and Cloudflare, not the Origin Server.

This means that in a world where TLS 1.0/1.1 were broken, the data handled to and from Cloudflare could be modified or snooped on. This modified data in the perspective of your Origin server will look like TLS 1.3 traffic, and you would be unable to tell if something was modified.

Whilst I don’t see it as a security risk, as I can’t be bothered, your company definitely could (plus a lot of security certifications may require it too). Personally, I think that disabling TLS 1.0/1.1 on Cloudflare is more important, because it’d be easier for bad parties to tamper with the connection between Browser -> Cloudflare, rather than Cloudflare -> Origin. If the policy’s intent is to secure data end-to-end, you should be setting the minimum TLS version in Cloudflare too.

(In theory, you’d only have to implement/test the effects of Cloudflare -> Origin. Changing the minimum of TLS 1.2 on the Cloudflare dashboard shouldn’t have any affect on how Cloudflare interacts with your origin server, but some older devices may not be compatible with TLS 1.2+)

1 Like

Thank you for your reply.

As a end user/customer, they would only interact with cloudfare and not origin (I am no CDN expert). So I guess, not to discredit disabling TLS 1.0/1.1 cloudflare -> origin but is securing where the customers interact be more important correct?

can you please help me understand what else can go wrong if we dont disable browser -> cloudflare. I need to make a list of what can go wrong, or basically the pro’s to disabling it browser -> cloudflare

No. Customers can see the strength of the connection between Browser and Cloudflare, while the connection between Cloudflare and Origin is hidden from them. The hidden connection should be as secure as possible so that you are not misleading your users about the overall strength of the connection.

To disable TLS v1.0 and v1.1 between Cloudflare and Origin, you should ensure that the TLS configuration on your Origin does not support those legacy versions.

Separately, setting the minimum TLS version in Cloudflare to TLS v1.2 is generally a no-impact change, unless your users are running unusually old equipment. For most general purpose websites, a minimum of TLS v1.2 is very common and safe.

3 Likes

The hidden connection should be as secure as possible so that you are not misleading your users about the overall strength of the connection.

very good point.

unless your users are running unusually old equipment.

Thats what we are afraid of. If we continued to leave TLS 1.0/1.1 enabled on Cloudflare, can you please help me understand what are the risks involved? I need to make a case as to why we need to enable even if it may break some older browsers.

Thank you!

If you are processing personal data, financial transactions or other sensitive classes of data, allowing legacy TLS is inadequate to meet your obligations, and show be disabled.

If you run a normal website with normal users, legacy TLS is unnecessary, and does not need to be supported.

Anybody using a service or device that only supports TLS v1.1 or older will not be able to access your services over an HTTPS connection. Such devices are increasingly rare, and in reality the whole world is disabling old versions of TLS so you would not be the first. Lots of major websites and applications do not work except over TLS 1.2 or above. Any browser released in the last decade or so already supports TLS v1.2, so most users would not notice anything.

If you are on an Enterprise plan you can get access to your logs, and see what is accessing your content using legacy TLS. Otherwise, you could just do a “flag day” where you change the minimum TLS to 1.2 for a few hours to gauge the response.

3 Likes

Thank you neuronbutter and michael

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.