All major browsers drop TLS 1.0 and 1.1 in 2020
All major web browser makers announced on October 15, 2018 that the browsers that they produce will stop supporting the standards TLS 1.0 and TLS 1.1 in 2020.
The change was announced by Google, Apple, Microsoft, and Mozilla on company websites.
Transport Layer Security (TLS) is a security protocol used on the Internet to protect Internet traffic. It uses encryption to protect the data from eavesdropping.
TLS 1.0 and TLS 1.1 are old standards. TLS 1.0 turned 19 this year, a very long time on the Internet. The main issue with TLS 1.0 is not that the protocol has known security issues but that it doesn't support modern cryptographic algorithms.
TLS 1.1 on the other hand is used by only 0.1% of all connections and while it addresses some limitations of TLS 1.0, newer standards such as TLS 1.2 or TLS 1.3 are better suited going forward. It is also relatively old as it turned 10 recently.
The use of more modern protocol versions improves performance and security of connections by introducing features such as perfect forward secrecy and resistance to downgrade-related attacks. TLS 1.2 is also the requirement for HTTP/2 which offers performance improvements when used.
Telemetry data collected by browser makers show that more than 99% of connections use TLS 1.2 or higher already. About 0.5% of all HTTPS connections in Chrome use TLS 1.0 or 1.1 and the figures are similar for other browsers.Â Â TLS 1.3 final was published by the Internet Engineering Task Force in August 2014.
It is a major update of TLS 1.2 that improves the speed and security of the connection significantly. One major gain speed-wise is the reduction to a single round-trip for handshakes instead (TLS 1.2 uses two round-trips). More and more sites on the Internet adopt TLS 1.3 to use the benefits that the standard provides.
Mozilla Firefox, Microsoft Edge, Google Chrome, and Apple Safari will drop support for TLS 1.0 and TLS 1.1 in March 2020.
The change affects a large number of sites and services. While many can be upgraded to only support TLS 1.2 and TLS 1.3, sites and devices that are no longer supported may never receive updates to support these new versions.
Here are the links to the announcements:
- Apple:Â Deprecation of Legacy TLS 1.0 and 1.1 Versions
- Google:Â Modernizing Transport Security
- Microsoft:Â Modernizing TLS connections in Microsoft Edge and Internet Explorer 11
- Mozilla:Â Removing Old Versions of TLS
Now You: What is your take on the announcement?
2020 is too late.
We need this change now.
Anyway I like this upcoming change
If you’re using Firefox, you can accomplish the same thing right now (I believe there’s instructions elsewhere in these comments), so you don’t have to wait. I don’t know about other browsers.
One piece of a puzzle called planned obsolescence. HTTPS is not needed everywhere, but hey, if somehow there is a way to make your old but perfectly functional machine unable to connect to the internet anymore, sure as hell that will force you to buy a new one.
At least the gobernment can’t spy on you, right? Right?? Uhm.. yeah.
Been using these about:config settings in FF for months now, without any adverse effects on websites.
Changed mine to match yours/
My max version was already set at 4, min was set at 1, so changed min version to 3. Stops page rendering.
Update: min version 3 DOES work for me too :-))
user_pref(“security.tls.version.min”, 3); // Default = 1 (FF61+)
// user_pref(“security.tls.version.fallback-limit”, 4); // Default = 4 (FF62+)
// user_pref(“security.tls.version.max”, 4); // Default = 4 (FF61+)
No issue except one site (within my very own journeys of course) which seems stubborn to require security.tls.version.min = 1, https://www.downloadcrew.com/ for those who’d wish to test…
@Tom Hawack : Yep, same here. The page refuses to load.
“What is your take on the announcement?”
I think it’s a good thing!
Itâ€™s sad that this is necessary.
Telemetry *(statistics)* can be manipulated to show that others aren’t using TLSv1.0 and TLSv1.1.
Our project for example followed the recommendations from the real authority and disabled TLSv1.0 back in about June of 2018.
1. So it’s quite obvious that the browsers aren’t a fully reliable data source… the websites are.
2. The browsers are way slow to adopt this *(mixed bag)*.
3. I agree with @Yuliya about the obsolescence factor. Going to screw over the users that have hardware manufactures with EOL’d products and no support… thus increasing physical waste. But it will generated revenue for those eager to swipe your currency with less and less support.
4. Encryption may enforce copyright however it’s overhead is always going to be more with key exchanges, encryption, decryption, bandwidth, etc. Again a mixed bag since there are laws the prevent certain content from being improved. e.g. anti-competitive and closed systems to keep everyone ignorant and stupid of the real behind the scenes actions being taken against them. Don’t even get me started on the cost of certificates including the “free ones”. “We’re sorry but your content isn’t acceptable to us so we are revoking your certificate”. ;) :)
/box *(have some soap :)*
Why 2020 and not next week/month ?
Those sites/servers that still are on TLS 1.0/1.1 should be blocked now, not in 2 years.
It sounds like a positive change. More security is a good thing.
I understand the concern about some users being left behind, but we’re talking about dropping the earliest iterations of a standard that is 19 years old. How long was it that people stopped selling hardware and operating systems that were incapable of installing browsers that were compatible with TLS 2.0 or better?
I would say that if it was 10 years ago or more, this is an acceptable change. We can’t compromise everyone’s security for the probably less than half a percent of people who can’t upgrade to a modern web browser, who have likely had their machine for a decade or whatever (Maybe 2 decades)- and, speaking of which, said machines are likely running out of date operating systems and browsers if they can’t find a way to support TLS 2.0, which put them at risk every day, and risk the safety of others online by being likely to be compromised by botnets, malware, and viruses that spread to others.
Those can still use their old hardware and operating systems off-line to access old games and programs.
For those who are not just stubborn, but are actually too poor to even buy the cheapest of smartphones or PCs that can handle the standard, I would actually support just handing them a smartphones and/or a PC that can. Internet access is now considered a human right in some European countries. Give them a used Chromebook (or a really inexpensive Windows laptop) and a $50 Android phone to use online, and let them keep their outdated hardware and operating systems they’ve had previously to use programs off-line, and I think that would be more than fair. Maybe they can even save up or get financing to get better modern machines on top of all of that in the long-run.
I don’t think it’s a reasonable expectation that you be able to buy a computer in 1999, and have the Internet hold back any alterations in it’s security standards so that you can surf every website with the same machine in 2020. It wouldn’t be right for anyone to send a shutdown signal to things you own against you will, but with the advancement rate of technology, the Internet connectivity part may not work after a certain point. A lot of these machines average only 2 years. My longest lasting PC hit 5 years before having to be replaced. If you can keep something going 20 years, that’s amazing, and good for you, but we can’t allow the extremely small percentage of people who can do that to keep us from increasing security standards for everyone else.