Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019
IE, Edge, Safari, Firefox, Chrome, all planning to deprecate lousy old versions by 2020
Sysadmins and netizens, it's time to get serious about killing off old, buggy and insecure versions of Transport Layer Security (TLS) – the encryption used to secure connections to HTTPS websites like your bank, El Reg, and so on.
For one thing, web browser makers are laying out coordinated deprecation plans, meaning if your website is still using TLS 1.0 or 1.1, and nothing more recent, browsers will soon flag up your site as insecure or complain they are unable to connect.
The Internet Engineering Task Force has been considering when to hold the funeral of TLS 1.0, which will be 20 years old in January 2019, as well as a burial for TLS 1.1, since June this year. Its Internet-Draft on the matter is expected to formalize the 'net standards body's “die die die” recommendation later this year. When the draft progresses to standard status, the IETF will no longer fix new protocol vulnerabilities in TLS 1.0 and 1.1.
It's official: TLS 1.3 approved as standard while spies weepREAD MORE
Microsoft noted on Monday that fewer than “one per cent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.” Edge and Internet Explorer will ditch their TLS 1.0 and 1.1 support in the first half of next year, Redmond said, which puts the software giant ahead of the pack, since the other major browsers will start the process in 2020.
The WebKit folks also provided on Monday a longer deadline, saying support will be removed from Safari in iOS and macOS “beginning in March 2020.” WebKit's data puts the continued use of the ancient protocols around that of Microsoft's measurement – specifically, “0.36 per cent of TLS connections made from Safari.”
WebKit's developers also want to know if there are “legacy services or devices that cannot be upgraded,” either via a bug report or email.
Mozilla Firefox's deprecation will also start in March 2020, for the 0.1 per cent of TLS 1.1 connections spotted by its telemetry. The deprecation will show up earlier in its pre-release code – beta, developer edition, and the nightly builds.
Google said this week its TLS 1.0/1.1 connection rate from Chrome browsers is 0.5 per cent, and deprecation will start on its early release channels in January 2020. ®
Sponsored: Becoming a Pragmatic Security Leader