Security Experts:

Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

Google, Microsoft and Mozilla are delaying plans to disable support for the Transport Layer Security (TLS) 1.0 and 1.1 protocols in Chrome, Edge, Internet Explorer, and Firefox.

TLS 1.0 is over two decades old, and TLS 1.1 was only meant to address some limitations in the former and prevent specific attacks. Both are known to include weaknesses, some addressed in TLS 1.2, which was released over a decade ago.

In 2018, TLS 1.3 was approved and published as RFC 8446, after four years of work. It is both faster and more secure compared to its predecessors, and many tech companies are advocating for its broad adoption.

In October 2018, major browser makers announced that support for the old and insecure TLS 1.0 and 1.1 protocol versions would be removed in March 2020, but such plans have been postponed due to the current COVID-19 pandemic.

Microsoft now says it is still on track to remove support for TLS 1.0 and 1.1 this year, but that the change will be made months later than initially announced.

“In light of current global circumstances, we will be postponing this planned change—originally scheduled for the first half of 2020,” the tech giant said.

At the moment, the company plans on disabling the older protocol iterations in the new Microsoft Edge (based on Chromium) in version 84, which is currently planned for July 2020.

As for the supported versions of Internet Explorer 11 and Microsoft Edge Legacy (EdgeHTML-based), the current plan involves removing support for TLS 1.0 and TLS 1.1 on September 8, 2020.

Google will remove support for both protocol versions in the stable release of Chrome 83, which is set to arrive in mid-May — the company skipped Chrome 82 entirely due to the coronavirus crisis.

“Previously, we showed a deprecation warning in DevTools. In M-79, Chrome marked affected sites as ‘Not Secure’. In M-83, Chrome will show a full page interstitial warning on sites that do not support TLS 1.2 or higher,” the company says.

Mozilla, which disabled TLS 1.0 and 1.1 in Firefox 74, reverted the change without providing a new timeline for when support for these protocol versions would be removed.

“We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information,” the browser maker noted in updated release notes for Firefox 74.

Although TLS 1.0 and 1.1 remain in use, site admins are advised to transition to TLS 1.2 or TLS 1.3 as soon as possible to ensure there are no disruptions when browsers remove support for the older protocols.

“While these protocols will remain available for customers to re-enable as needed, we recommend that all organizations move off of TLS 1.0 and TLS 1.1 as soon as is practical. Newer versions of the TLS protocol enable more modern cryptography and are broadly supported across modern browsers, such as the new Microsoft Edge,” Microsoft said.

Related: Major Browsers to Kill TLS 1.0, 1.1

Related: IETF Publishes TLS 1.3 as RFC 8446

view counter