Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Major Browsers to Kill TLS 1.0, 1.1

All major web browsers will deprecate support for the older Transport Layer Security (TLS) 1.0 and 1.1 traffic encryption protocols in the first half of 2020.

Apple, Google, Microsoft and Mozilla on Monday announced plans to kill the protocol in their browsers to provide users with better security.

All major web browsers will deprecate support for the older Transport Layer Security (TLS) 1.0 and 1.1 traffic encryption protocols in the first half of 2020.

Apple, Google, Microsoft and Mozilla on Monday announced plans to kill the protocol in their browsers to provide users with better security.

The move is not surprising, given that TLS 1.0 will turn 20 in January 2019 and TLS 1.3 is already half a year old. As for TLS 1.1, it was mainly designed to address a limitation of TLS 1.0 and prevent specific attacks that can be addressed in other ways.

“Two decades is a long time for a security technology to stand unmodified. […] vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone,” Microsoft says.

Both TLS 1.0 and 1.1 are known to include weaknesses, some of which were addressed with the release of TLS 1.2 a decade ago. Despite that, however, the protocols continue to be supported by more than 70% of all websites.

“These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1,” Google notes in a blog post.

TLS 1.2, which is a prerequisite for HTTP/2, delivers significant performance improvements for the web, provides better security, and is already supported by over 94% of websites. Apple says TLS 1.2 is used in 99.6% of TLS connections made from Safari.

TLS 1.3 too is expected to soon start seeing broad adoption, so the percentage of legacy TLS connections will likely drop further.

Advertisement. Scroll to continue reading.

“Additionally, we expect the IETF to formally deprecate TLS 1.0 and 1.1 later this year, at which point protocol vulnerabilities in these versions will no longer be addressed by the IETF,” Microsoft points out.

Thus, in March 2020, support for legacy TLS 1.0 and 1.1 connections will be removed in all major browsers, including Chrome, Firefox, Safari, and Microsoft’s Edge and Internet Explorer 11.

Because upgrading TLS could take a lot of time, the initial announcement is made one year and a half before the planned deprecation to ensure that website developers have enough time at their disposal to complete the transition to TLS 1.2 or newer.

“For sites that need to upgrade, the recently released TLS 1.3 includes an improved core design that has been rigorously analyzed by cryptographers. TLS 1.3 can also make connections faster than TLS 1.2,” Mozilla notes.

Only a small number of websites should be impacted by the change, and servers can enable both modern and legacy options to continue to supporting legacy clients, even if that will carry security risks (DROWN, FREAK, and ROBOT attacks).

Related: IETF Approves TLS 1.3

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.