Box.com requires TLS 1.0, 1.1 & 1.2

In order to get box.com to work on my computer, I had to enable TLS 1.0, 1.1, and 1.2 in Internet Explorer, even though I almost never use IE.

I had turned off all three versions of TLS on security grounds. As a result, I kept getting an error message when I tried to log into Box Sync on my computer (“Cannot connect”).

Box.com help desk’s explanation for the requirement — amazingly — is that SSL 3.0 is not secure so they don’t use it. It’s true there have been issues with SSL 3.0, but TLS, as I understand it, has the same issues plus much worse. [UPDATE: Dan Riley explains why I have it all backwards in the comments.]

On the positive side, I only figured out the source of the problem thanks to efficient and friendly work from ‘Ashley’ at the box.com help desk, so they are doing something right.

This entry was posted in Internet. Bookmark the permalink.

3 Responses to Box.com requires TLS 1.0, 1.1 & 1.2

  1. Dan Riley says:

    Oh my. I think you’ve got that completely backwards. Box is right, SSLv3 ought to be avoided. TLS 1.0 is slightly better than SSLv3, TLS 1.1 and 1.2 are significantly better. If you want to improve your security, you should disable SSLv3 and TLS 1.0, and enable TLS 1.1 and 1.2.

    -dan

  2. I am happy to be corrected. I thought TLS 1.0 was so bad it never saw prime time?

  3. Dan Riley says:

    I think you have the SSL and TLS timelines mixed up. SSLv1 from Netscape never saw release, SSLv2 also had serious security flaws but was widely used. SSLv3 fixed many of those and was eventually published as an historic RFC. SSLv3 is the oldest SSL/TLS version anyone should even consider using, and it is definitely on the way out.

    TLS 1.0 is essentially the IETF standardization of SSLv3 with some minor improvements, TLS 1.1 adds better defenses against attacks on CBC modes (e.g., POODLE), and TLS 1.2 adds new AES and SHA-2 modes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.