TLS 1.0 and 1.1 in the danger zone
Time to Upgrade to TLS Version 1.2 and Above
In only a few weeks, websites that support protocols no higher that TLS 1.0 or 1.1 will need to upgrade before major browsers start returning “secure connection failed” error pages.
In October 2018, it was mutually approved by Google, Apple, Microsoft and Mozilla to deplore the maturing protocols by the beginning of 2020. This step is expected to curb traffic flowing to sites that are yet to update to TLS 1.2 and above.
First major browser likely to abandon support for TLS 1.0 (21 years old) and 1.1 (14 years old) will be Mozilla with the release of Firefox 74 on March 10. On March 17, Google Chrome 81 is scheduled to launch, that will also immobilise support, while Apple’s Safari subsequent update at the end of March, which is also expected to remove support for older encryption suites. Microsoft is anticipated to remove support for the moribund protocols from Edge 82 and Internet Explorer in April.
Webmasters have been alerted about the impending shift, for example by advice to migrate released within developer tools in Firefox 68 and Chrome 72, which were introduced last year. To discover more sites that are not able to “speak” TLS 1.2, Nightly mode support was disabled for Firefox 71 in December.
It was revealed from SSL Pulses latest analysis of Alexa’s most popular websites which took place in February, nearly 140,000 websites (3.2%) fail to support protocols that are higher that TLS 1.0, and less than 0.1% have a ceiling of TLS 1.1. Most websites (71.7%) support a maximum of TLS 1.2, the outstanding 25% can support the most recent version of TLS 1.3. Corresponding to these figures, 3.3% of websites could possibly be returning “secure connection failed” error pages to those that are visiting.
To date, TLS 1.3 which launched back in 2018 is now the gold standard, whilst TLS 1.2 is PCI DSS-compliant and continues to be a good standard even though it being more than a decade old. Both protocols are supported by major browsers and the most recent cryptographic cipher suits and algorithms.
The National Institute of Standards and Technology (NIST) has proclaimed that it is no longer feasible to patch protocols’ present vulnerabilities. The global custodian for internet standards, The Internet Engineering Task Force (IETF) will be officially deprecating TLS 1.0 and 1.1. Both protocols do not support the latest cryptographic algorithms or conform to todays PCI Data Security Standards for protecting payment data.
What to do?
It has been implored by Michal Špaček, developer at Report URI and Password Storage Rating, for webmasters to act before it’s too late. He has recommended for using tools like SSL Lab Server Test (Qualys) for those that are unsure.
If it is revealed that a website fails to support at least TLS 1.2, webmasters should check with their vendors. Other ways include running recent encryption libraries and servers of which support TLS 1.2 and above. It has been pointed out that it is not necessary to remove support for these Legacy TLS versions however, should make sure websites are able to support at least version 1.2.
In a note addressed to developers in September 2019, Mozilla engineer Martin Thomson said:“This is a potentially disruptive change, but we believe that this is good for the security and stability of the web.”
If you would like more information please contact one of our friendly cybersecurity consultants:
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!