The makers of all popular browsers – IE, Edge, Safari, Firefox, and Chrome included – have announced plans to disable Transport Layer Security (TLS) protocol versions 1.0 and 1.1 by default.
Transport Layer Security (TLS) 1.0 and 1.1 are the early versions of encryption used to secure connections to HTTPS websites. Their job is to provide confidentiality and integrity of data in transit between clients and servers.
This week, and not unexpectedly, all the big browser manufacturers released co-ordinated announcements that TLS 1.0, which will be 20 years old next January, and TLS 1.1 will no longer be supported by their browsers. Newer, updated versions of the security protocol will be favoured instead.
The reasons given for dropping these versions of the protocol are that:
- They are now rarely used. For example, Microsoft announced that fewer than “one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.”. Apple, more accurately puts the figure at less than 0.36% of all connections.
- 20 years is a is a long time for a security technology to stand unmodified, and newer successor versions of TLS are more advanced, provide better performance and are more secure, e.g. TLS 1.3.
- The finalization of TLS 1.3 by the Internet Engineering Task Force (IETF) in August 2018, means that the proportion of legacy TLS connections will drop even further, and TLS 1.2 is also required for HTTP/2, which should bring performance improvements for the web. Also, vulnerabilities in 1.0 and 1.1 versions will no longer be addressed by the IETF.
- Old versions of TLS rely on MD5 and SHA-1, both now broken, and thought to contain other flaws.
Each browser has given slightly different dates for their formal dropping of TLS 1.0 and 1.1. For Microsoft browsers it will be later this year. For Apple support for TLS 1.0 and 1.1 will end in March 2020. For Mozilla, March 2020 will also be the removal date, and for Google browser users on early release channels, the date will be January 2020.
What Does This Mean For Your Business?
It is understandable that, with these versions being very old and unmodified, and not used by many connections, and with newer, more secure and better performance versions available, now is a good time to end default support for TLS 1.0 and 1.1. We are told that the newer successor versions offer greater security and performance and less vulnerability to certain types of attack e.g. BEAST, LogJam and FREAK (Factoring RSA Export Keys). These benefits are, of course, likely to be attractive to most businesses.
News of the co-ordinated killing-off of these 2 versions of the protocol may not be such great news of course, to those who have websites that still only using TLS 1.0 or 1.1, because browsers will soon flag up those websites as insecure or state that they are unable to connect.