As a part of a coordinated movement among four of the biggest names in technology, the old security protocols TLS 1.0 and 1.1 will be removed in Safari, Edge, Internet Explorer, Firefox and Chrome in 2020.
Apple, Microsoft, Mozilla, and Google have teamed up to purge the internet of these old and faulty protocols, noting that most people have now moved to TLS 1.2, if not TLS 1.3.
Although 94 percent of sites are already compatible with version 1.2, a period of tampering over the next 18 months will give everyone a chance to catch up.
The developers of the browsers Firefox, Chrome, Edge and Safari warned of the imminent termination of support for the TLS 1.0 and TLS 1.1 protocols:
- In Firefox, TLS 1.0 / 1.1 support will be discontinued in March 2020, but these protocols will be disabled earlier in trial and nightly versions.
- In Chrome, TLS 1.0 / 1.1 support will be discontinued as of Google Chrome version 81, which is expected in January 2020.
- While in Google Chrome version 72, which will be released in January 2019, when opening sites with TLS 1.0 / 1.1, a special warning about using the outdated version of TLS will be displayed. The settings that make it possible to return support for TLS 1.0 / 1.1 will remain until January 2021.
- In the Safari web browser and the WebKit engine, support for TLS 1.0 / 1.1 will be discontinued in March 2020.
- While in the Microsoft Edge web browser and Internet Explorer 11, the removal of TLS 1.0 and TLS 1.1 is expected in the first half of 2020.
The TLS 1.0 specification was released in January 1999. Seven years later, the TLS 1.1 update was released with security enhancements related to the generation of initialization vectors and incremental padding vectors.
Currently, the Internet Engineering Task Force (IETF), which is involved in the development of Internet protocols and architecture, It has already published a draft specification that renders the TLS 1.0 / 1.1 protocols obsolete.
After 20 years in which it is still standing is one of the reasons the IETF is expected to (Internet Engineering Task Force) officially disapprove the protocols later this year, although no announcement has been made yet.
The vast majority of users and servers already use TLS 1.2+
The percentage of requests using TLS 1.0 on the web is 0,4% for Chrome users and 1% for Firefox users.
Of the 2 million largest sites rated by Alexa, only 1.0% are limited to TLS 0.1 and 1.1% - TLS XNUMX.
According to Cloudflare statistics, approximately 9,3% of requests through Cloudflare's content delivery network are made using TLS 1.0. TLS 1.1 is used in 0,2% of cases.
According to the SSL data service company Pulse Qualys TLS 1.2 protocol support 94% of websites, allowing secure connection setting.
“Two decades is a long time for a safety technology to remain unchanged. While we are not aware of significant vulnerabilities with our updated implementations of TLS 1.0 and TLS 1.1, there are vulnerable third-party implementations, ”said Kyle. Pflug, senior program manager at Microsoft Edge.
Mozilla data collected via telemetry at Firefox shows that only 1.11% of secure connections were established using the TLS 1.0 protocol. For TLS 1.1, this figure is 0.09%, for TLS 1.2 - 93.12%, for TLS 1.3 - 5.68%.
The main issues in TLS 1.0 / 1.1 are the lack of support for modern ciphers (e.g. ECDHE and AEAD) and the requirement to support old ciphers, the reliability of which is questioned at the current stage of computer development (e.g. , support for TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is required to verify).
Support for legacy algorithms has already led to attacks such as ROBOT, DROWN, BEAST, Logjam, and FREAK.
However, these issues were not directly protocol vulnerabilities and were closed at the level of their implementations.
The TLS 1.0 / 1.1 protocols lack critical vulnerabilities that can be used to carry out practical attacks.