According to researchers, it is "extremely difficult to exploit," and key manufacturers have already published security updates for it. A group of researchers discovered a flaw in TLS 1.2 (and previous versions) that might allow a man-in-the-middle attacker to get a shared session key and decode SSL/TLS communication. But because of the design of the protocol, this attack would be detectable by other protocols used with the same server or client.
TLS 1.2 was introduced in 2014 as a major upgrade from its predecessor, TLS 1.1, which had been deployed in 2001. At the time it was released, experts said it was better protected against hacking attacks than TLS 1.1. However, just like any other protocol, TLS 1.2 can be hacked if an attacker is able to execute an attack vector related to the problem being fixed. In this case, the vulnerability lies in the fact that SSL/TLS uses a single cipher list for all connections, which allows an attacker to manipulate order of encryption algorithms during connection setup. The problem was identified by researchers from Independent Security Evaluators, who described it as "a serious issue" and "an extremely dangerous flaw."
The good news is that the flaw can only be exploited by an attacker who manages to convince you to connect to him or her using a malicious website. If you are careful not to visit sites that are known to be vulnerable to hacking, you should be safe.
TLS 1.0, among other flaws, is subject to man-in-the-middle attacks, putting the integrity and authentication of data transferred between a website and a browser at risk. API users are strongly advised to setup their servers to support TLS 1.1 or higher well in advance of this date.
TLS (Transport Layer Security): An Improved Version of SSL Because of SSL's known security weaknesses, security researchers concluded that a stronger and more secure protocol was required. TLS 1.0 was defined in 1999 as a successor to SSL 3.0. It introduced several improvements over SSL 3.0, including support for multiple protocols, greater message integrity, and authentication via public-key mechanisms instead of passwords.
TLS 1.1 was released in 2001 as an improvement upon TLS 1.0. It introduced new functions to provide resistance to known security vulnerabilities, such as heartbeat messages used to ensure that servers are still operating properly.
TLS 1.2 was released in 2009 and introduces some new features that were not available in previous versions of TLS. For example, it supports server-side certificate revocation lists and out-of-band credentials (such as USB tokens), as well as HTTP/2 push. In addition, TLS 1.2 uses ciphersuites with elliptic curve cryptography (ECC) which provides additional security against quantum computers. However, ECC is not widely supported by web browsers or email clients today so this advantage will not be available to users.
SSL: Secure Sockets Layer is a set of standards developed by Netscape Communications Corporation and RSA Data Security, Inc. for creating communication channels between a client and a server that are considered trustworthy.
TLS 1.3 is the most up-to-date and secure version of the TLS protocol. It offers lower latency than previous versions and various additional features. TLS 1.3 is presently supported in Chrome (beginning with version 66) and Firefox (starting with release 60), while Safari and Edge browsers are under development. Support for TLS 1.3 was added in Android 10.
TLS 1.3 is important because it provides some new features that can help protect against cyberattacks. For example, it can be configured to use session tickets, which allow for temporary security credentials that can be used instead of requiring a full handshake each time a page is loaded. A session ticket also allows for faster reconnection after network outages since only the ticket itself needs to be sent before the connection can be reestablished.
TLS 1.3 uses several new technologies to provide these new features. First, there's the use of asymmetric cryptography during key exchange, which prevents the need for a trusted third party (such as a certificate authority). Next, there's the use of forward secrecy, which prevents past communications from being able to be used to reconstruct future communications. Forward secrecy is provided by using one-time pads during secret sharing so that even if an attacker manages to decrypt past communications, they won't be able to further decrypt subsequent communications without knowing the shared secret.
Furthermore, in October 2018, Apple, Google, Microsoft, and Mozilla (the companies behind the Chrome, Edge, IE, Firefox, and Safari browsers) indicated that they will disable TLS 1.0 and 1.1 by the first half of 2020. The hardening of IIS might be a painful technique. However, since it's only recommended for security purposes it shouldn't interfere with your website's functionality.