Microsoft has announced that it will be retiring 3DES at the end of February. If you have any applications still using 3DES, they won’t be able to connect to Office 365 after February 28th. This announcement is part of Microsoft’s implementation of TLS 1.2, replacing TLS 1.0/1.1.
3DES, TLS and Other TLA’s
First, let’s take a moment to review these three- and four-letter acronyms. 3DES, aka “triple dez,” is an encryption cipher. Technically, 3DES stands for “Triple Data Encryption Algorithm,” which would seem to make it 3DEA. But it is based on the Data Encryption Standard (DES) so we can give it a pass. 3DES is being phased out because NIST has recommended that the algorithm be phased out in favor of more recent and stronger data encryption algorithms.
TLS 1.2 is one of those stronger ones. TLS stands for Transport Layer Security. It concerns itself with encryption of data while in transit (thus being transported; see what I did there?) Microsoft has already recommended that customers move to implementation of TLS 1.2, although it has not (yet) announced end of support for applications using TLS 1.0 or 1.1.
Find Out if You Have Applications Using 3DES and TLS Encryption Protocols
Your goal here is to get out in front of this 3DES-geddon. Otherwise, you’ll find out on March 1st if you have 3DES-based connections–when you review your support tickets for the day and see the tickets for services that won’t connect. You want to ensure that all client-server and browser-server connections using 3DES to connect to Office 365 services have been updated before you get to March 1st.
Get Thee to SecureScore
Fortunately, Microsoft has provided a way to find out if you have any of these kinds of connections or not.
- Go to http://securescore.microsoft.com. (Yes, the same SecureScore that I offered to walk you through. For free! Send me a note or give me a call. Operators are standing by.)
- Click on the Score Analyzer tab at the top of the browser window.
- Scroll down the page and click on Incomplete Actions.
- Find the entry for Remove TLS dependencies.
- Click on the Learn More button.
- A new window will open. Click on the Launch now button.
- This will open a new browser tab and take you to the Service Trust Portal. (http://servicetrust.microsoft.com) You’ll probably be asked to sign in again.
- From there, click the Download button to access the report on 3DES and TLS 1.0/1.1 use. Note that you have to be an Office 365 tenant administrator to complete this action.
Here’s what CGNET’s report looked like.
You can see that we don’t have any connections using 3DES, although we do have a few people with older smartphones that are using TLS 1.0/1.1. We’ve also run the report for the CGIAR and other organizations where we provide Office 365 tenant management.
Act Now to Feel Better Soon
A lot of Microsoft service changes can be safely ignored, as they have no user impact. This change isn’t one of those. So log in, download the report, and take action if needed. If you’re not sure what to do at that point, let us know.
Just don’t ignore this advisory and hope for the best. Because we all know that
Hope is not a strategy