Beginning March, when Firefox 74 is set to arrive in the release channel, Mozilla will disable older Transport Layer Security (TLS) protocol versions as default options for secure connections.
An improvement over the Secure Sockets Layer (SSL) protocol, TLS is meant to improve the security of the Web, but flaws and weaknesses in older iterations, specifically TLS 1.0 and TLS 1.1, render connections vulnerable to attacks such as BEAST, CRIME and POODLE.
The newer TLS 1.2 and TLS 1.3 versions are both faster and safer, and major browser vendors have already laid out plans to deprecate the older releases to ensure the security of their users.
Mozilla has already introduced the change in Firefox Beta 73, in which the minimum TLS version allowable by default is TLS 1.2. Users shouldn’t notice any connection errors when accessing websites that support TLS 1.2 and up.
However, because TLS version mismatches might appear if websites do not include support for the newer versions of the protocol, users are provided with the option to fallback to TLS 1.0 or TLS 1.1, via an override button on the error page.
“As a user, you will have to actively initiate this override. But the override button offers you a choice. You can, of course, choose not to connect to sites that don’t offer you the best possible security,” Thyla van der Merwe, cryptography engineering manager at Mozilla, notes in a blog post.
Van der Merwe encourages operators to upgrade their servers to ensure they provide a secure experience to their users, especially since plans regarding TLS 1.0 and TLS 1.1 deprecation have been announced over a year ago.
Firefox 74, which is expected to arrive in the stable channel on March 10 — Mozilla has shifted to a 4-week release cycle — will require TLS 1.2 as the minimum version for secure connections. Users will still be provided with the override button and Mozilla will gather data on how often this button is used.
“These results will then inform our decision regarding when to remove the button entirely. It’s unlikely that the button will stick around for long. We’re committed to completely eradicating weak versions of TLS because at Mozilla we believe that user security should not be treated as optional,” van der Merwe concludes.
Related: Major Browsers to Kill TLS 1.0, 1.1
Related: IETF Publishes TLS 1.3 as RFC 8446
More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
