Browser Makers To Drop Support for TLS 1.0 and 1.1 in 2020
Apple, Google, Microsoft and Mozilla are all moving to disable the use of the Transport Layer Security (TLS) protocols versions 1.0 and 1.1 in their browsers, giving notice that they'll be dropping support within the first half of 2020.
The browser makers are taking those measures in advance of an Internet Engineering Task Force (IETF) proposal to deprecate TLS versions 1.0 and 1.1, although that proposal is still at the draft stage. The 10-year-old TLS 1.2 version has been recommended for use by the IETF since 2008, but even version 1.2 has "now itself been superceded by TLSv1.3," the IETF's draft proposal argued.
The TLS protocol is used to create a secure channel during an Internet connection, typically between client and server. The current proposed standard by the IETF is TLS version 1.3.
TLS 1.0 and 1.1 are being "actively deprecated" by government agencies and the Payment Card Industry Association. TLS 1.0 requires the use of older cipher suites, and it doesn't support recommended ones, such as "using
AEAD [Authenticated Encryption with Associated Data] ciphers." Handshaking using TLS 1.0 depends on using SHA-1 hashes, which can be broken by a "downgrade attack," the proposal added. The IETF draft proposal stated that both TLS 1.0 and 1.1 "must not be used."
The use of TLS versions 1.0 and 1.1 is down, with browser makers reporting that less than 1 percent of all connections are using those protocol versions. An Apple announcement indicated that "complete support [for those versions] will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020."
Google, for its part, plans to show deprecation warnings for the use of TLS 1.0 and 1.1 when it releases Chrome 72, and it'll disable those protocol versions with the release of Chrome 81. "This will affect users on early release channels starting January 2020," Google explained in an announcement.
Microsoft announced plans to disable TLS 1.0 and 1.1 in its Edge and Internet Explorer 11 browsers "in the first half of 2020." The announcement added that "sites should begin to move off of TLS 1.0 and 1.1 as soon as is practical."
Mozilla is planning to disable TLS 1.0 and 1.1 support in its Firefox browser "in March of 2020," according to an announcement, although this change likely will show up earlier in its pre-release browser versions. Mozilla's announcement suggested that while TLS 1.0 doesn't necessarily require immediate action, the protocol just lacks proper cryptographic capabilities. Mozilla recommends moving to TLS 1.3:
For sites that need to upgrade, the recently released TLS 1.3 includes an improved core design that has been rigorously analyzed by cryptographers. TLS 1.3 can also make connections faster than TLS 1.2. Firefox already makes far more connections with TLS 1.3 than with TLS 1.0 and 1.1 combined.
Qualys' SSL Pulse statistics site is showing that TLS 1.2 is the most-used version of the protocol, with 94 percent of sites using it, based on an October 2018 sampling.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.