Big browsers to pull support plug for TLS 1.0 and 1.1 encryption protocols in early '20

Credit to Author: Gregg Keizer| Date: Tue, 16 Oct 2018 04:06:00 -0700

The makers of the four biggest browsers all said Monday that their applications will drop support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols in early 2020.

“In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1,” wrote Martin Thomson, principal engineer at Mozilla, in a post to a company blog.

Other browser developers, including Apple (Safari), Google (Chrome) and Microsoft (Edge and Internet Explorer) issued similar notices. All pegged early 2020 as the target for disabling support.

TLS is the successor to the better-known SSL (Secure Socket Layer) encryption protocol; SSL and TLS secure data communications between browser and the destination server so that criminals cannot read the traffic, and by doing so, spy on users or steal valuable information, such as log-on credentials and credit card numbers.

Both TLS 1.0 and 1.1 – the former will turn 20 in January – have been made obsolete by the later 1.2 and 1.3 protocols. TLS 1.3 was just defined in August by the Internet Engineering Task Force (IETF), the organization that develops the voluntary standards necessary for the Internet to operate. All four browsers now support TLS 1.2, and Chrome and Firefox have introduced support for the draft specification of TLS 1.3.

Most websites already support TLS 1.2 – Qualys cited 94% in its Oct. 2 survey of an Internet sample – and TSL 1.0- and 1.1-encrypted traffic is relatively rare to browsers. Microsoft claimed that less than 1% of daily connections to its Edge used 1.0/1.1, Mozilla said about 1.2% of the connections reaching the beta of Firefox 62 in August and September relied on the protocols, and Apple asserted that 1.0 and 1.1 accounted for less than 0.4% of all connections to Safari on Apple’s platforms.

Even so, the browser builders plan to give site owners considerable time before the plug is pulled. “We understand that upgrading something as fundamental as TLS can take some time,” said Mozilla’s Thomson. “This change affects a large number of sites. That is why we are making this announcement so far in advance of the March 2020 removal date.”

Each developer will hew to its own schedule even though their final ditching dates may cluster.

Apple will remove support for TLS 1.0 and 1.1 from Safari in March 2020 via updates to macOS and iOS.

Google will start deprecating the protocols in Chrome 72, slated to ship in January 2019; at that time, warnings will begin appearing in the DevTools console. Support for TLS 1.0 and 1.1 will evaporate as of Chrome 81, which should release around March 2020. “(But) this will affect users on early release channels starting January 2020,” warned David Benjamin, a Google engineer.

Benjamin added that enterprises would be able to extend TLS 1.0 or 1.1 support until January 2021 by setting the SSLVersionMin policy to “tls1.0” or “tls1.1” respectively.

Microsoft was less transparent than rivals, saying only that the protocols would be disabled by default “in the first half of 2020.” The action would be taken in Edge, the Windows 10-only browser, and Internet Explorer 11 (IE11), now relegated to a legacy role.

Mozilla will strike TLS 1.0/1.1 support from Firefox in March 2020, but like Google, the developer cautioned users that the change will reach preview builds – the Beta, Developer and Nightly channels – earlier than that. “We will announce specific dates when we have more detailed plans,” Thomson said.

http://www.computerworld.com/category/security/index.rss