TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings - gHacks Tech News

ADVERTISEMENT

TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings

Google announced today how the company's Google Chrome web browser will handle sites that use the security protocols TLS 1.0 or TLS 1.1 in the future.

Major browser developers including Google, Mozilla, Microsoft, and Apple revealed in 2019 that they would deprecate support for TLS 1.0 and TLS 1.1 in their web browsers. The decision was made to improve security and performance on the Internet. The protocols have no known security vulnerabilities but they don't support modern cryptographic algorithm either.

Mozilla started to disable TLS 1.0 and TLS 1.1 in Firefox Nightly, the cutting edge development version of the Firefox web browser, a few days ago.

Google Chrome Not Secure warnings

google chrome not secure warning

Starting with Google Chrome 79, Chrome will give sites a "not secure" label if TLS 1.0 or TLS 1.1 is used. The main intention is to provide users and webmasters with information that they may act upon; webmasters need to enable TLS 1.2 or later on the server to address the issue.

Starting with Google Chrome 81, Chrome will prevent connections to sites that use TLS 1.0 or TLS 1.1. The browser displays a warning page instead that reads "Your connection is not fully secure. This site uses an outdated security configuration, which may expose your information".

A click on the "not secure" label displays the very same message when Chrome 79 lands. Chrome users may set an experimental flag in the browser to test the new warning functionality before Chrome 79 lands. Here is how that is done:

  1. Load chrome://flags in the browser's address bar.
  2. Search for Show security warnings for sites using legacy TLS versions. You may also search for just TLS to speed this up.
  3. Set the flag to enabled.
  4. Restart the Google Chrome web browser.

Chrome will display the "not secure" label if a site uses TLS 1.0 or TLS 1.1. The change is visual in nature; users are not blocked from accessing the resource. Chrome displays warnings in the browser's built-in Developer Tools as well to inform webmasters and developers about the deprecation of earlier versions of TLS.

Chrome 81 will block connections to sites that use TLS 1.0 or 1.1. The browser displays an interstitial warning to users.

Enterprise admins may set policies to disallow TLS 1.0 or TLS 1.1 connections in Chrome or re-enable support for the older protocols until January 2021 when support is removed. Additional information on Chrome policies is found here.

Now You: Do any of the devices or sites that you visit frequently still use TLS 1.0 or 1.1?

Summary
TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings
Article Name
TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings
Description
Google announced today how the company's Google Chrome web browser will handle sites that use the security protocols TLS 1.0 or TLS 1.1 in the future.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. pHROZEN gHOST said on October 2, 2019 at 4:34 pm
    Reply

    Turn this on at your own risk. If there are other users of the PC, they may be confused/bothered by what they see. We are not all rocket scientists.

    Of course, you can always turn it off again.

  2. John G. said on October 2, 2019 at 4:37 pm
    Reply

    It would be better if Chrome downgraded itself from TLS 1.2 to 1.1 it the site needs it with no warning. There is no sense to warn people if no action can be taken afterwards by the user.

  3. John Fenderson said on October 2, 2019 at 5:41 pm
    Reply

    “Do any of the devices or sites that you visit frequently still use TLS 1.0 or 1.1?”

    Websites can support TLS 1.2 as well as TLS 1.0 and 1.1. I assume that your question is really “do any no longer support TLS 1.0 or 1.1″?, so that’s the question I’ll answer…

    Honestly, I don’t know, and I’m not really curious enough to bother finding out. But internet surveys indicate”probably not”.

    1. Martin Brinkmann said on October 2, 2019 at 6:05 pm
      Reply

      I meant if you visit sites that support only TLS 1.1 or 1.0, as those sites cannot be accessed in many browsers anymore once the changes land.

      1. John Fenderson said on October 2, 2019 at 7:05 pm
        Reply

        That’s what I thought you meant, but your rephrasing was much better than mine. :)

  4. Tom Hawack said on October 2, 2019 at 9:39 pm
    Reply

    Am I to be amazed that warnings followed by a radical blocking of sites not updating their security environment be necessary to get things done? Is it a matter of cost, unawareness, laziness?

    Security and privacy. Regarding the former decisions are taken and that’s good.
    I do nevertheless have in mind small, modest websites which are more informative rather than big data managers, which may not need top security, not even https and which could simply disappear from the radar. If https is on then TLS must follow, but not sure https is as imperative for all sites as it is said and repeated. But I’m no expert.

    1. John Fenderson said on October 3, 2019 at 5:00 pm
      Reply

      @Tom Hawack:

      Let me put on my computer security hat for this reply…

      Using HTTPS, even for websites that are in no way sensitive, is a good idea as it helps to prevent man-in-the-middle and other forms of attack. The risk of such attacks, even on nonsensitive websites, is that they can be used to engage in further attacks against your system (both in the form of intrusion and malware).

      The only real reason to not use HTTPS for all websites is one of cost, and that cost has been greatly reduced over the past few years. There isn’t that much reason not to do it these days.

      That said, there do still exist reasons not to, and I think that HTTPS proponents often go overboard in their advocacy.

      For instance, I run a couple of websites that are only accessible from within my personal network. Those do use HTTPS because my webserver is already configured to do that since it also serves up sites that are accessible from the internet. However, I would be entirely comfortable just using HTTP for those, as my network would have to be infiltrated in order to attack them, and if that happens then I have much, much larger problems.

      The deprecation of TLS 1.0 and 1.1 is also a good thing (mandatory, in my opinion), as 1.0 and 1.1 are both broken and vulnerable.

  5. John Smith said on November 20, 2019 at 11:35 pm
    Reply

    Does the security warning only show to the sites which ONLY support TLS 1.0 and/or 1.1? What about for sites that support TLS 1.0, 1.1, and 1.2?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.