Internet and Networking

What Is the “Minimum TLS Version” Feature in Cloudflare?

If you aren’t familiar with TLS, know that it’s the next-in-line improvement of SSL. It has been around for several years now and has gone through a handful of version iterations — making things more standardized, secure, and even faster. As of writing this post, the latest TLS version is 1.3, a significant upgrade from version 1.2.

As a matter of fact, SSL is now considered to be deprecated, with almost all widely used browsers no longer supporting this old security protocol.

How TLS Makes Things Secure

A very concise summary of how things get secure for the users of the internet — when it comes to TLS — on a very-very high level is as follows:

  1. The website needs to be using/supporting TLS.
  2. Your browser/a.k.a. “client” in technical terms needs to support TLS also.

The TLS versions can be different, and again, recall that most browsers don’t even sustain SSL anymore.

In short, TLS enables moving information on the internet more safely by encrypting the data and preventing data leaks that cybercriminals can exploit. That’s the idea at least! A great everyday practical examples of when TLS is in play are when you’re logging into your bank account or making an online credit card payment.

How Does Cloudflare’s “Minimum TLS Version” Come Into the Picture, and What Can It Do?

How Cloudflare’s "Minimum TLS Version" Comes Into the Picture, and What Can It Do
An example of how much traffic was served over TLS within the last 24 hours.

It is as clear as day that the latest TLS version is the most secure and optimal. So, in theory, it would make sense to only allow connections from those actively leveraging that version. However, as website owners and managers, Cloudflare puts the onus on us to decide how far back of a TLS version we want to continue to allow support for by giving us a choice of setting a “minimum TLS version” — which makes sense.

What that means is that any user coming to your site via an HTTPS connection and the selected minimum TLS Version and above will be able to navigate to your domain successfully. Further, it additionally means that any visitor attempting to access the site from an iteration lower than the selected will be rejected.

As of today, a Cloudflare user can dictate what they want their Minimum TLS version to be from the options below:

  1. TLS 1.0: Note that this is the default
  2. TLS 1.1
  3. TLS 1.2
  4. TLS 1.3

Where To Go in Cloudflare To Select a Minimum TLS Version

After logging into Cloudflare and clicking on the domain or site for which you want to set a Minimum TLS version, as your first step, go to the “SSL/TLS” menu from the left pane to subsequently click on “Edge Certificates.” (See screenshot below).

first step to setting a minimum TLS version in Cloudflare
The first step to setting a minimum TLS version in Cloudflare.

Next, scroll down to the “Minimum TLS version” Card to pick out the TLS you want to set as the base. Once done, any visitors wishing to go to your site will need the base or higher TLS type.

You May Also Want to Check Out:

You Can Also Use Cloudflare Analytics To Determine the Minimum TLS Version

If you are finicky or unsure about changing anything inside Cloudflare concerning setting a must-have TLS version, you can leave things alone.

Nevertheless, if you want to run a tighter ship while keeping things more protected, you can use Cloudflare Analytics to resolve which TLS version should be set as an acceptable standard.

To get insights into this data (screenshot to follow), from the Analytics menu on the left pane, head over to the “Security” option. Afterward, scroll down to the bottom until you see the “Overview” section. In there, a couple of things are going on:

  • The “Traffic Served Over SSL” is the second Card.
    • Click on the Details tab to get a line by line data on the exactness of how many requests a specific TLS version got.
  • A dropdown is present for selecting a timeframe on the same line as the Overview heading. It’s defaulted to last 24 hours. But, it can be expanded to stretch as far as the last 30 days. The “Traffic Served over SSL” Card data will change accordingly.

Take a look at the image capture below for visual reference on how much traffic a specific TLS version received — in the allocated timeframe.

Full details on Traffic served over SSL in Cloudflare
Complete details on Traffic served Over SSL in Cloudflare.

Benefits of Setting a Higher “Minimum TLS Version” in Cloudflare

Every TLS version evolves from the real-world exploits, data, and experiences of the cyber and the internet networking world. Translated, it implies that:

  • The cryptographic standards tied to TLS are more robust.
  • In many cases, page loads are efficient — thus saving you on bandwidth or associated network costs.
  • Grants extra security measures to prevent site takeovers, hacks, or malware infestation. Many cybercriminals rely on older technologies and guidelines to develop their attack strategy. By eliminating an older version entirely, you can considerably reduce the likelihood of your site being attacked — with anything.
  • Last but not least, this can mean dwindled legal costs & lawsuits for many organizations.