ngrok keeps your applications secure with modern TLS standards

At ngrok, we're committed to giving developers secure, modern infrastructure that protects their applications and services by default. Today, we're announcing the deprecation of Transport Layer Security (TLS) versions 1.0 and 1.1 across all ngrok endpoints, effective immediately.

ngrok has defaulted to using TLS 1.2 since 2021, when the Internet Engineering Task Force officially deprecated the protocol. For customers to have used an insecure protocol, they would have needed to override ngrok's default configurations.

The case for modern cryptographic standards

TLS 1.0 and 1.1 have been deprecated since 2021 due to well-documented weaknesses that make them unsafe. Continuing to support them can expose developers to risks, like downgrade attacks and weak encryption.

The cryptographic weaknesses inherent in TLS 1.0 and 1.1 include:

• Vulnerable cipher suites: Support for weak encryption algorithms including RC4, DES, and export-grade ciphers
• Hash collision susceptibility: Reliance on SHA-1 and MD5 hashing algorithms with known collision vulnerabilities
• Protocol downgrade attacks: Insufficient protection against POODLE and BEAST attack vectors
• Weak key exchange mechanisms: Support for static RSA key exchange without forward secrecy

Until today, ngrok continued supporting these deprecated protocols for customers who relied on them for critical workflows. We've worked closely with affected customers to migrate their systems to secure protocols with minimal disruption, and can now fully remove them from our platform.

Enhanced security posture

With this change, all ngrok traffic now benefits from the same level of security expected from major cloud providers and financial institutions.

By enforcing TLS 1.2 as the minimum supported version, all data transmitted through ngrok endpoints utilizes modern cryptographic primitives proven resilient through extensive security analysis:

• Strong cipher suites: AES-GCM, ChaCha20-Poly1305, and other authenticated encryption modes
• Robust hash algorithms: SHA-256, SHA-384, and SHA-512 cryptographic hash functions
• Forward secrecy: Ephemeral Diffie-Hellman (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange
• Certificate transparency: Enhanced validation through CT log verification

Improved SSL/TLS assessment scores

Organizations relying on automated security scanning tools will immediately benefit from this change. SSL testing platforms, particularly Qualys SSL Labs' SSL Server Test, will now assign significantly higher grades to ngrok endpoints, reflecting stronger protocols, cipher choices, and forward secrecy.

This improvement also simplifies compliance reviews: ngrok endpoints now align with PCI DSS 3.2.1, NIST SP 800-52r2, and OWASP TLS best practices.

Commitment to security excellence

This update is part of our ongoing effort to make ngrok the most secure way to expose your services to the internet. We'll continue to evolve our infrastructure so you can focus on building, knowing your connections are protected by design.

Learn more about ngrok's security practices at https://trust.ngrok.com/.