GitHub made a decision Stop supporting TLS 1.0 and 1.1 protocols in the NPM packet repository and on all sites associated with the NPM packet manager, including NPMJS.com. Starting from October 4, a client with support for at least TLS 1.2 will be required to connect to the repository, including for installing packages. At the GitHub itself, TLS 1.0 / 1.1 support was discontinued in February 2018. As a motive, concern for the safety of its services and the confidentiality of user data is called. According to GitHub, about 99% of requests to the NPM repository is already performed using TLS 1.2 or 1.3, and Node.js includes support for TLS 1.2 C 2013 (starting from release 0.10), so the change will affect only a minor part of users.
Recall that TLS 1.0 and 1.1 protocols officially Translated IETF Committee (Internet Engineering Task Force) in the category of outdated technologies . The TLS 1.0 specification was published in January 1999. Seven years later, the update of TLS 1.1 was released with security improvements related to the generation of initialization vectors and additional filling. Among the main problems of TLS 1.0 / 1.1, the lack of support for modern ciphers (for example ECDHE and AEAD) and the availability of the requirements for the support of old ciphers to support, the reliability of which at the modern stage of the development of computing technology is questioned (for example, support for TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, to test integrity and Authentication is used MD5 and SHA-1). Support for outdated algorithms has already led to the appearance of such attacks as Robot, Drown, Beast, Logjam and Freak. However, these problems were not directly vulnerable to the protocol and closed at the level of its implementation. In the TLS 1.0 / 1.1 protocols themselves, there are no critical vulnerabilities that can be used to implement practical attacks.