All Browser Vendors Unite: Goodbye to TLS 1.0 and 1.1 on 2020
The second browser wars is still raging since the release of Firefox in 2002; more browsers entered the mainstream since then. The former browser champion, Internet Explorer has virtually left the competition in 2015 due to Microsoft’s decision to deprecate it in favor of Edge. Regardless of their differences, modern web-browsers are all in agreement that in order to secure the Internet, old and outdated encryption protocols need to be discarded. In 2020, all browser vendors will agree to finally delete support for TLS 1.0 and 1.1.
TLS 1.3, the latest encryption standard for the web has been enabled in the latest versions of Google Chrome, Apple Safari, Mozilla Firefox, and Microsoft Edge. This commonality enables the feasibility of removing support for TLS protocol older than 1.2. The POODLE and BEAST exploits targeting TLS 1.0 and 1.1 accelerated the need to stop using those two old protocols.
One of the most vocal browser vendors that are aggressive against the use of TLS 1.0 and 1.1 is Microsoft. Dealing with old encryption means bringing-in the vulnerabilities to their newer version of Edge, a position they cannot tolerate. “Two decades is a long time for a security technology to stand unmodified. While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure web for everyone. Additionally, we expect the IETF to formally deprecate TLS 1.0 and 1.1 later this year, at which point protocol vulnerabilities in these versions will no longer be addressed by the IETF,” explained Microsoft.
Apple on their part commented that Safari is compliant with the newest TLS protocols, and only a small portion of their users that are not yet updating to the latest version uses TLS older than 1.2. “Now is the time to make this transition. Properly configured for App Transport Security (ATS) compliance, TLS 1.2 offers security fit for the modern web. It is the standard on Apple platforms and represents 99.6% of TLS connections made from Safari. TLS 1.0 and 1.1 — which date back to 1999 — account for less than 0.36% of all connections. With the recent finalization of TLS 1.3 by the IETF in August 2018, the proportion of legacy TLS connections will likely drop even further. TLS 1.2 is also required for HTTP/2, which delivers significant performance improvements for the web,” Apple stressed.
Google, the current king of both search and the browser wars is also concerned about user’s security. They already set the version of Chrome that will finally delete the support of TLS 1.0 and 1.1. “In line with these industry standards, Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72. Sites using these versions will begin to see deprecation warnings in the DevTools console in that release. TLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020,” said Google.
Users should embrace the incoming changes, as in the field of technology improvements, a 20-year-old technology (TLS 1.0) and a 12-year-old technology (TLS 1.1) is just opening a can of worms.
Kevin Jones940 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.