Apple, Google, Microsoft, and Mozilla announced plans today to disable Transport Layer Security (TLS) 1.0 and 1.1 support in their respective browsers in the first half of 2020.
Security
"January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge.
Also: Fizzing up the new TLS security protocol
"Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."
The move comes as the Internet Engineering Task Force (IETF) --the organization that develops and promotes Internet standards-- is hosting discussions to formally deprecated both TLS 1.0 and 1.1.
Also: TLS 1.3 is out: Major boost for web security
All four browsers --Chrome, Edge, IE, Firefox, and Safari-- already support TLS 1.2 and will soon support the recently-approved fina version of the TLS 1.3 standard. Chrome and Firefox already support TLS 1.3, while Apple and Microsoft are still working on support.
Microsoft cited public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions.
"Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats.
Also: It's 2018, and network middleware still can't handle TLS without breaking encryption
Windows users and system administrators can test the impact of having TLS 1.0 and TLS 1.1 disabled right now and prepare their devices and networks before the final deadline.
They can do this by accessing the "Internet Options"setting in the Windows control panel, visiting the "Advanced" tab, and unticking the "Use TLS 1.0" and "Use TLS 1.1" options in the Security section.
Article updated two hours after publication to include similar announcements made by Apple, Google, and Mozilla. The original version of this article only mentioned Microsoft plan to deprecate TLS 1.0 and TLS 1.1.
Related stories:
- Microsoft JET vulnerability still open to attacks, despite recent patch
- A mysterious grey-hat is patching people's outdated MikroTik routers
- IETF approves new internet standards to secure authentication tokens
- Around 62% of all Internet sites will run an unsupported PHP version in 10 weeks
- These popular Android phones came with vulnerabilities pre-installed CNET
- Microsoft Windows zero-day vulnerability disclosed through Twitter TechRepublic
- Google's Pixel 3 is the first Android device to ship with new CFI kernel protections