All major browsers drop TLS 1.0 and 1.1 in 2020

Martin Brinkmann
Oct 16, 2018
Firefox
|
14

All major web browser makers announced on October 15, 2018 that the browsers that they produce will stop supporting the standards TLS 1.0 and TLS 1.1 in 2020.

The change was announced by Google, Apple, Microsoft, and Mozilla on company websites.

Transport Layer Security (TLS) is a security protocol used on the Internet to protect Internet traffic. It uses encryption to protect the data from eavesdropping.

TLS 1.0 and TLS 1.1 are old standards. TLS 1.0 turned 19 this year, a very long time on the Internet. The main issue with TLS 1.0 is not that the protocol has known security issues but that it doesn't support modern cryptographic algorithms.

TLS 1.1 on the other hand is used by only 0.1% of all connections and while it addresses some limitations of TLS 1.0, newer standards such as TLS 1.2 or TLS 1.3 are better suited going forward. It is also relatively old as it turned 10 recently.

The use of more modern protocol versions improves performance and security of connections by introducing features such as perfect forward secrecy and resistance to downgrade-related attacks. TLS 1.2 is also the requirement for HTTP/2 which offers performance improvements when used.

Telemetry data collected by browser makers show that more than 99% of connections use TLS 1.2 or higher already. About 0.5% of all HTTPS connections in Chrome use TLS 1.0 or 1.1 and the figures are similar for other browsers.  TLS 1.3 final was published by the Internet Engineering Task Force in August 2014.

It is a major update of TLS 1.2 that improves the speed and security of the connection significantly. One major gain speed-wise is the reduction to a single round-trip for handshakes instead (TLS 1.2 uses two round-trips). More and more sites on the Internet adopt TLS 1.3 to use the benefits that the standard provides.

Mozilla Firefox, Microsoft Edge, Google Chrome, and Apple Safari will drop support for TLS 1.0 and TLS 1.1 in March 2020.

The change affects a large number of sites and services. While many can be upgraded to only support TLS 1.2 and TLS 1.3, sites and devices that are no longer supported may never receive updates to support these new versions.

Here are the links to the announcements:

Now You: What is your take on the announcement?

Summary
All major browsers drop TLS 1.0 and 1.1 in 2020
Article Name
All major browsers drop TLS 1.0 and 1.1 in 2020
Description
All major web browser makers announced on October 15, 2018 that the browsers that they produce will stop supporting the standards TLS 1.0 and TLS 1.1 in 2020.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. John said on October 18, 2018 at 11:05 pm
    Reply

    It sounds like a positive change. More security is a good thing.

    I understand the concern about some users being left behind, but we’re talking about dropping the earliest iterations of a standard that is 19 years old. How long was it that people stopped selling hardware and operating systems that were incapable of installing browsers that were compatible with TLS 2.0 or better?

    I would say that if it was 10 years ago or more, this is an acceptable change. We can’t compromise everyone’s security for the probably less than half a percent of people who can’t upgrade to a modern web browser, who have likely had their machine for a decade or whatever (Maybe 2 decades)- and, speaking of which, said machines are likely running out of date operating systems and browsers if they can’t find a way to support TLS 2.0, which put them at risk every day, and risk the safety of others online by being likely to be compromised by botnets, malware, and viruses that spread to others.

    Those can still use their old hardware and operating systems off-line to access old games and programs.

    For those who are not just stubborn, but are actually too poor to even buy the cheapest of smartphones or PCs that can handle the standard, I would actually support just handing them a smartphones and/or a PC that can. Internet access is now considered a human right in some European countries. Give them a used Chromebook (or a really inexpensive Windows laptop) and a $50 Android phone to use online, and let them keep their outdated hardware and operating systems they’ve had previously to use programs off-line, and I think that would be more than fair. Maybe they can even save up or get financing to get better modern machines on top of all of that in the long-run.

    I don’t think it’s a reasonable expectation that you be able to buy a computer in 1999, and have the Internet hold back any alterations in it’s security standards so that you can surf every website with the same machine in 2020. It wouldn’t be right for anyone to send a shutdown signal to things you own against you will, but with the advancement rate of technology, the Internet connectivity part may not work after a certain point. A lot of these machines average only 2 years. My longest lasting PC hit 5 years before having to be replaced. If you can keep something going 20 years, that’s amazing, and good for you, but we can’t allow the extremely small percentage of people who can do that to keep us from increasing security standards for everyone else.

  2. ilev said on October 18, 2018 at 6:37 am
    Reply

    Why 2020 and not next week/month ?
    Those sites/servers that still are on TLS 1.0/1.1 should be blocked now, not in 2 years.

  3. Marti Martz said on October 17, 2018 at 1:10 am
    Reply

    Telemetry *(statistics)* can be manipulated to show that others aren’t using TLSv1.0 and TLSv1.1.

    Our project for example followed the recommendations from the real authority and disabled TLSv1.0 back in about June of 2018.

    1. So it’s quite obvious that the browsers aren’t a fully reliable data source… the websites are.
    2. The browsers are way slow to adopt this *(mixed bag)*.
    3. I agree with @Yuliya about the obsolescence factor. Going to screw over the users that have hardware manufactures with EOL’d products and no support… thus increasing physical waste. But it will generated revenue for those eager to swipe your currency with less and less support.
    4. Encryption may enforce copyright however it’s overhead is always going to be more with key exchanges, encryption, decryption, bandwidth, etc. Again a mixed bag since there are laws the prevent certain content from being improved. e.g. anti-competitive and closed systems to keep everyone ignorant and stupid of the real behind the scenes actions being taken against them. Don’t even get me started on the cost of certificates including the “free ones”. “We’re sorry but your content isn’t acceptable to us so we are revoking your certificate”. ;) :)

    /box *(have some soap :)*

  4. Charles said on October 16, 2018 at 8:44 pm
    Reply

    It’s sad that this is necessary.

  5. John Fenderson said on October 16, 2018 at 5:03 pm
    Reply

    “What is your take on the announcement?”

    I think it’s a good thing!

  6. Microfix said on October 16, 2018 at 1:21 pm
    Reply

    Been using these about:config settings in FF for months now, without any adverse effects on websites.

    security.tls.version.min 3
    security.tls.version.max 4

    1. Tom Hawack said on October 16, 2018 at 7:45 pm
      Reply

      Same here.

      user_pref(“security.tls.version.min”, 3); // Default = 1 (FF61+)
      // user_pref(“security.tls.version.fallback-limit”, 4); // Default = 4 (FF62+)
      // user_pref(“security.tls.version.max”, 4); // Default = 4 (FF61+)

      No issue except one site (within my very own journeys of course) which seems stubborn to require security.tls.version.min = 1, https://www.downloadcrew.com/ for those who’d wish to test…

      1. stefann said on October 17, 2018 at 12:39 am
        Reply

        @Tom Hawack : Yep, same here. The page refuses to load.

    2. Charlie said on October 16, 2018 at 6:17 pm
      Reply

      Changed mine to match yours/

      1. Klaas Vaak said on October 16, 2018 at 7:49 pm
        Reply

        My max version was already set at 4, min was set at 1, so changed min version to 3. Stops page rendering.

      2. Klaas Vaak said on October 18, 2018 at 6:44 am
        Reply

        Update: min version 3 DOES work for me too :-))

  7. Yuliya said on October 16, 2018 at 9:33 am
    Reply

    One piece of a puzzle called planned obsolescence. HTTPS is not needed everywhere, but hey, if somehow there is a way to make your old but perfectly functional machine unable to connect to the internet anymore, sure as hell that will force you to buy a new one.

    At least the gobernment can’t spy on you, right? Right?? Uhm.. yeah.

  8. wario said on October 16, 2018 at 7:12 am
    Reply

    2020 is too late.
    We need this change now.
    Anyway I like this upcoming change

    1. John Fenderson said on October 17, 2018 at 5:29 pm
      Reply

      @wario:

      If you’re using Firefox, you can accomplish the same thing right now (I believe there’s instructions elsewhere in these comments), so you don’t have to wait. I don’t know about other browsers.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.