Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Firefox 74 Will Disable TLS 1.0 and TLS 1.1 by Default

Beginning March, when Firefox 74 is set to arrive in the release channel, Mozilla will disable older Transport Layer Security (TLS) protocol versions as default options for secure connections.

Beginning March, when Firefox 74 is set to arrive in the release channel, Mozilla will disable older Transport Layer Security (TLS) protocol versions as default options for secure connections.

An improvement over the Secure Sockets Layer (SSL) protocol, TLS is meant to improve the security of the Web, but flaws and weaknesses in older iterations, specifically TLS 1.0 and TLS 1.1, render connections vulnerable to attacks such as BEAST, CRIME and POODLE.

The newer TLS 1.2 and TLS 1.3 versions are both faster and safer, and major browser vendors have already laid out plans to deprecate the older releases to ensure the security of their users.

Mozilla has already introduced the change in Firefox Beta 73, in which the minimum TLS version allowable by default is TLS 1.2. Users shouldn’t notice any connection errors when accessing websites that support TLS 1.2 and up.

However, because TLS version mismatches might appear if websites do not include support for the newer versions of the protocol, users are provided with the option to fallback to TLS 1.0 or TLS 1.1, via an override button on the error page.

“As a user, you will have to actively initiate this override. But the override button offers you a choice. You can, of course, choose not to connect to sites that don’t offer you the best possible security,” Thyla van der Merwe, cryptography engineering manager at Mozilla, notes in a blog post.

Van der Merwe encourages operators to upgrade their servers to ensure they provide a secure experience to their users, especially since plans regarding TLS 1.0 and TLS 1.1 deprecation have been announced over a year ago.

Firefox 74, which is expected to arrive in the stable channel on March 10 — Mozilla has shifted to a 4-week release cycle — will require TLS 1.2 as the minimum version for secure connections. Users will still be provided with the override button and Mozilla will gather data on how often this button is used.

“These results will then inform our decision regarding when to remove the button entirely. It’s unlikely that the button will stick around for long. We’re committed to completely eradicating weak versions of TLS because at Mozilla we believe that user security should not be treated as optional,” van der Merwe concludes.

Related: Major Browsers to Kill TLS 1.0, 1.1

Related: IETF Publishes TLS 1.3 as RFC 8446

Related: Android Q Enables TLS 1.3 Support by Default

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.