Three of the biggest tech companies, Apple, Microsoft, and Google, have made a cornerstone announcement regarding the support for TLS 1.1 and TLS 1.0. Mozilla is also “in” on this change. In a coordinated effort, the companies shared their intentions to end the support for TLS 1.1 and TLS 1.0, thus making TLS 1.2 the default, with interested parties encouraged to add support for TLS 1.3 as soon as possible.
What does this mean? All major browsers, like Apple Safari, Google Chrome, Internet Explorer and Microsoft Edge will be deprecating support for TLS 1.1 and TLS 1.0 by the beginning of 2020.
So, What Is TLS?
Shortly said, TLS (Transport Layer Security) is a cryptographic protocol which is designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications like web browsing, email, instant messaging, and voice over IP (VoIP). Websites, in particular, can use TLS to secure all communications between their servers and web browsers.
In other words, TLS provides an encrypted channel that allows the data users submit and receive from secure web sites sites to be encrypted and thus inaccessible to unwanted parties. TLS gets in the way of eavesdropping on users’ communications, and is crucial to the privacy of information such as user names, passwords, financial information, and in general, all types of PII.
In fact, TLS is the successor to Secure Sockets Layer. SSL is still used colloquially, but TLS has been adopted since 1999. The last remains of SSL, support for SSL 3.0, is also considered a bad idea, with most organizations having dropped it because of itsknown security vulnerabilities.
January 19 will mark the 20 year anniversary of TLS 1.0, experts point out. It is curious to note that the payment card industry, for instance, was mandated to deprecate support for TLS 1.0 earlier this year, while ending support for TLS 1.1 was strongly recommended as well.
TLS 1.0 and TLS 1.1 are both considered unsafe because of the outdated algorithms and cryptographic functions they use, such as SHA-1 and MD5, and because they lack modern security features. Microsoft noted that “two decades is a long time for a security technology to stand unmodified”.
While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone. Additionally, we expect the IETF to formally deprecate TLS 1.0 and 1.1 later this year, at which point protocol vulnerabilities in these versions will no longer be addressed by the IETF.
What Is the Time Frame for Ending Support for TLS 1.0 and TLA 1.1?
Google says it is going to deprecate TLS 1.0 and TLS 1.1 Chrome 72. Developers will be notified via deprecation warnings located in the Developer Tools, with the protocols being entirely disabled with the introductions of Chrome 81.
Mozilla plans to drop support in Firefox for TLS 1.0 and TLS 1.1 in March 2020. However, users of Beta, Developer, and Nightly builds of Firefox should know that these changes will be implemented sooner.
Microsoft’s end of support date for TLS 1.0 and 1.1 in Edge and Internet Explorer 11 is situated in the first half of 2020. As for Apple, the company will deprecate support in iOS and macOS in March 2020.