News

Browser Makers To Drop Support for TLS 1.0 and 1.1 in 2020

Apple, Google, Microsoft and Mozilla are all moving to disable the use of the Transport Layer Security (TLS) protocols versions 1.0 and 1.1 in their browsers, giving notice that they'll be dropping support within the first half of 2020.

The browser makers are taking those measures in advance of an Internet Engineering Task Force (IETF) proposal to deprecate TLS versions 1.0 and 1.1, although that proposal is still at the draft stage. The 10-year-old TLS 1.2 version has been recommended for use by the IETF since 2008, but even version 1.2 has "now itself been superceded by TLSv1.3," the IETF's draft proposal argued.

The TLS protocol is used to create a secure channel during an Internet connection, typically between client and server. The current proposed standard by the IETF is TLS version 1.3.

TLS 1.0 and 1.1 are being "actively deprecated" by government agencies and the Payment Card Industry Association. TLS 1.0 requires the use of older cipher suites, and it doesn't support recommended ones, such as "using
AEAD [Authenticated Encryption with Associated Data] ciphers." Handshaking using TLS 1.0 depends on using SHA-1 hashes, which can be broken by a "downgrade attack," the proposal added. The IETF draft proposal stated that both TLS 1.0 and 1.1 "must not be used."

The use of TLS versions 1.0 and 1.1 is down, with browser makers reporting that less than 1 percent of all connections are using those protocol versions. An Apple announcement indicated that "complete support [for those versions] will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020."

Google, for its part, plans to show deprecation warnings for the use of TLS 1.0 and 1.1 when it releases Chrome 72, and it'll disable those protocol versions with the release of Chrome 81. "This will affect users on early release channels starting January 2020," Google explained in an announcement.

Microsoft announced plans to disable TLS 1.0 and 1.1 in its Edge and Internet Explorer 11 browsers "in the first half of 2020." The announcement added that "sites should begin to move off of TLS 1.0 and 1.1 as soon as is practical."

Mozilla is planning to disable TLS 1.0 and 1.1 support in its Firefox browser "in March of 2020," according to an announcement, although this change likely will show up earlier in its pre-release browser versions. Mozilla's announcement suggested that while TLS 1.0 doesn't necessarily require immediate action, the protocol just lacks proper cryptographic capabilities. Mozilla recommends moving to TLS 1.3:

For sites that need to upgrade, the recently released TLS 1.3 includes an improved core design that has been rigorously analyzed by cryptographers. TLS 1.3 can also make connections faster than TLS 1.2. Firefox already makes far more connections with TLS 1.3 than with TLS 1.0 and 1.1 combined.

Qualys' SSL Pulse statistics site is showing that TLS 1.2 is the most-used version of the protocol, with 94 percent of sites using it, based on an October 2018 sampling.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.