Major browsers simultaneously drop support for old security standards

Firefox, Chrome, Edge, Internet Explorer, and Safari are all dropping support for older versions of the the online security protocol TLS, used in practically any encrypted exchange online. While few people or machines are using the long-unsafe TLS 1.0 and 1.1, they’re still permitted in many connections — but not for long.

Transport Layer Security is a community-developed standard that got its 1.0 release nearly 20 years ago. It and its close relative, 1.1, have known flaws that make them unsafe to use for any secure communications. 1.2 addressed these major flaws in 2008 and is currently used by the vast majority of clients. 1.3, released earlier this year, both improves and streamlines the standard, but as yet has only a limited presence online as many servers and services haven’t been updated to support it.

The messy, musical process behind the web’s new security standard

Mozilla, Google, Microsoft, and WebKit all made separate but similar announcements on their blogs, essentially that the old versions, 1.0 and 1.1, will be phased out by early 2020 — March specifically for some, which we can take as a general indicator for the others.

Latest news:  Tesla vehicles ordered after October 15 lose out on full tax credit eligibility

“Two decades is a long time for a security technology to stand unmodified,” wrote Microsoft’s Kyle Pflug. “While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone.”

As a user you don’t need to do a thing. The browsers and apps you use will work just as they have before — chances are they’re all using 1.2 already. Mozilla shared a chart showing that only a smattering of connections it sees use the earlier versions:

Latest news:  Edo raises $12M to measure TV ad effectiveness

These connections, low by proportion but still numerous, could be lots of things. Legacy machines embedded here are there; old apps for which the security stack hasn’t been updated in years; hacked devices. It’s almost certainly not you or even your parents.

The long lead time is given because of the possibility (nay, inevitability) that there are some critical systems (for example in aging municipal infrastructure) that will cease to work because of this change. People need time to do a real audit, although they probably should have done it years ago.

Latest news:  The 7 Best Ways to Open a PSD File Without Photoshop

This move should make everyone a little safer online, though everything will continue to act exactly as it did before. That’s by design.

 Developer IETF Security Technology News tls 1.2 TLS 1.3

Close Menu