SSL (Secure Sockets Layer) / TLS (Transport Layer Security) was developed to make the HTTP secure, aka as HTTPS (Hypertext transfer protocol secure) and has changed over time to adapt to the newer encryption methods and latest encryption attacks. The current mainstream version TLS 1.2, was published in 2008 so when does it expire or reach it’s end of life? Looking at the earlier versions that have reached their End of life like SSL, TLS 1.0 and TLS 1.1 we can see a bit of a trend:
| Version | Published | End of Life | Years of life |
| SSL 2.0 | 1995 | 2011 | 6 |
| SSL 3.0 | 1996 | 2015 | 19 |
| TLS 1.0 | 1999 | 2021 | 22 |
| TLS 1.1 | 2006 | 2021 | 15 |
It appears the maximum number of years is 22years and the average is approximately 15 years. TLS 1.2 being published in 2008 would then have an expected life of 22years to 2023 however we expect it to be longer than this.
One reason to change version is vulnerabilities and TLS1.2 has a lot of vulnerabilities caused by the older cryptographic algorithms that it still supports for compatibility reasons. Also TLS1.2 doesn’t have the latest quantum secure algorithms for protection against quantum computer encryption attacks.
TLS1.3 has resolved this and has removed the older vulnerable cryptographic algorithms and includes quantum secure algorithms (in theory, but not tested, as we don’t have a capable enough quantum computer to test the theory). TLS1.3 is also faster so why don’t we move to TLS1.3 now?
The issue comes back to user support of TLS1.3 which is actually really good now. However, some were slow to the TLS1.3 party such as Bluecoat and Apple. There are some niche scenarios where Windows 10 doesn’t support TLS1.3 (https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl–schannel-ssp-) which is EOL in Oct 2025, however if you are using an up to date browser on windows 10 that will support TLS1.3.
In short the good news is TLS1.3 is supported on any (mainstream) new device and/or new browser. The devices TLS1.3 isn’t supported are now or soon to be End Of life, so they need to be replaced.
If we assume it takes 1 year after EOL of non-supporting TLS1.3 devices, then we can assume that by the end of 2024 most computers will support using TLS1.3.
So, starting in 2025 and beyond, we recommend enforcing a minimum of TLS1.3 on your servers.
There is a good chance you are using TLS1.3 to view this website, as it is supported by most browsers and is commonly used. The concern is that TLS1.3 is still vulnerable as it allows falling back to TLS1.2. We would expect then TLS1.2 to be End of life over the next couple of years (2026) to give everyone sufficient notice to move to TLS1.3.
Looking to get your data in transit more secure, reach out and chat to the experts at Vertex Cyber Security.
