TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings
Google announced today how the company's Google Chrome web browser will handle sites that use the security protocols TLS 1.0 or TLS 1.1 in the future.
Major browser developers including Google, Mozilla, Microsoft, and Apple revealed in 2019 that they would deprecate support for TLS 1.0 and TLS 1.1 in their web browsers. The decision was made to improve security and performance on the Internet. The protocols have no known security vulnerabilities but they don't support modern cryptographic algorithm either.
Mozilla started to disable TLS 1.0 and TLS 1.1 in Firefox Nightly, the cutting edge development version of the Firefox web browser, a few days ago.
Google Chrome Not Secure warnings
Starting with Google Chrome 79, Chrome will give sites a "not secure" label if TLS 1.0 or TLS 1.1 is used. The main intention is to provide users and webmasters with information that they may act upon; webmasters need to enable TLS 1.2 or later on the server to address the issue.
Starting with Google Chrome 81, Chrome will prevent connections to sites that use TLS 1.0 or TLS 1.1. The browser displays a warning page instead that reads "Your connection is not fully secure. This site uses an outdated security configuration, which may expose your information".
A click on the "not secure" label displays the very same message when Chrome 79 lands. Chrome users may set an experimental flag in the browser to test the new warning functionality before Chrome 79 lands. Here is how that is done:
- Load chrome://flags in the browser's address bar.
- Search for Show security warnings for sites using legacy TLS versions. You may also search for just TLS to speed this up.
- Set the flag to enabled.
- Restart the Google Chrome web browser.
Chrome will display the "not secure" label if a site uses TLS 1.0 or TLS 1.1. The change is visual in nature; users are not blocked from accessing the resource. Chrome displays warnings in the browser's built-in Developer Tools as well to inform webmasters and developers about the deprecation of earlier versions of TLS.
Chrome 81 will block connections to sites that use TLS 1.0 or 1.1. The browser displays an interstitial warning to users.
Enterprise admins may set policies to disallow TLS 1.0 or TLS 1.1 connections in Chrome or re-enable support for the older protocols until January 2021 when support is removed. Additional information on Chrome policies is found here.
Now You: Do any of the devices or sites that you visit frequently still use TLS 1.0 or 1.1?
Turn this on at your own risk. If there are other users of the PC, they may be confused/bothered by what they see. We are not all rocket scientists.
Of course, you can always turn it off again.
It would be better if Chrome downgraded itself from TLS 1.2 to 1.1 it the site needs it with no warning. There is no sense to warn people if no action can be taken afterwards by the user.
“Do any of the devices or sites that you visit frequently still use TLS 1.0 or 1.1?”
Websites can support TLS 1.2 as well as TLS 1.0 and 1.1. I assume that your question is really “do any no longer support TLS 1.0 or 1.1″?, so that’s the question I’ll answer…
Honestly, I don’t know, and I’m not really curious enough to bother finding out. But internet surveys indicate”probably not”.
I meant if you visit sites that support only TLS 1.1 or 1.0, as those sites cannot be accessed in many browsers anymore once the changes land.
That’s what I thought you meant, but your rephrasing was much better than mine. :)
Am I to be amazed that warnings followed by a radical blocking of sites not updating their security environment be necessary to get things done? Is it a matter of cost, unawareness, laziness?
Security and privacy. Regarding the former decisions are taken and that’s good.
I do nevertheless have in mind small, modest websites which are more informative rather than big data managers, which may not need top security, not even https and which could simply disappear from the radar. If https is on then TLS must follow, but not sure https is as imperative for all sites as it is said and repeated. But I’m no expert.
Let me put on my computer security hat for this reply…
Using HTTPS, even for websites that are in no way sensitive, is a good idea as it helps to prevent man-in-the-middle and other forms of attack. The risk of such attacks, even on nonsensitive websites, is that they can be used to engage in further attacks against your system (both in the form of intrusion and malware).
The only real reason to not use HTTPS for all websites is one of cost, and that cost has been greatly reduced over the past few years. There isn’t that much reason not to do it these days.
That said, there do still exist reasons not to, and I think that HTTPS proponents often go overboard in their advocacy.
For instance, I run a couple of websites that are only accessible from within my personal network. Those do use HTTPS because my webserver is already configured to do that since it also serves up sites that are accessible from the internet. However, I would be entirely comfortable just using HTTP for those, as my network would have to be infiltrated in order to attack them, and if that happens then I have much, much larger problems.
The deprecation of TLS 1.0 and 1.1 is also a good thing (mandatory, in my opinion), as 1.0 and 1.1 are both broken and vulnerable.
Does the security warning only show to the sites which ONLY support TLS 1.0 and/or 1.1? What about for sites that support TLS 1.0, 1.1, and 1.2?
sites that support TLS 1.0, 1.1, and 1.2 will NOT receive the warning cause browser will negotiate a TLS 1.2 connection.
Try accessing the ILO on older HP boxes (before ILO3) you can’t. You have to dig up an old version of IE. getting rid of TLS 1.0 immediately junks the older HP boxes and there are a lot of them still running Usually the ILO is on an internal network so where’s the security issue?
In my opinion, if they’re going to disable/deprecate *any* feature, it should be _left in_ but _turned off_, with only expert users able to find out (via Google and appropriate instructions on how to find the switch) how to turn it on if they so choose.
I for one am still using 32-bit XP (with tons of antivirus etc.) for some things, which means I haven’t been able to upgrade beyond Chrome v49, which means I don’t even have the *option* of “enabling TLS 1.2.” In a case like that, I wish they’d provide a way to *retrofit* a TLS 1.2 capability into older versions. It’s getting to the point where I had a hell of a time even downloading a browser that supports TLS 1.2 *and* runs on XP — I couldn’t do it at all in Chrome, and had to upgrade — but not to the *very latest* version, because that wouldn’t run — to even grab it with wget.
I hate “upgrades” because they always eff up the process of just Getting Things Done. At the very least, it should be left up to the user whether he wants to upgrade — not forced down his throat by vendors who think they know better and just ASSUME people will accept their proclamations. I blame Microsoft for spreading this business model, which I consider in many ways a Crime Against Humanity.