EnlargeIndigo girl / Flickr

Apple, Google, Microsoft, and Mozilla have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.

TLS (Transport Layer Security) is used to secure connections on the Web. TLS is essential to the Web, providing the ability to form connections that are confidential, authenticated, and tamper-proof. This has made it a big focus of security research, and over the years, a number of bugs that had significant security implications have been found in the protocol. Revisions have been published to address these flaws.

The original TLS 1.0, heavily based on Netscape's SSL 3.0, was first published in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new capabilities and fixed these security flaws. Irreparable security flaws in SSL 3.0 saw support for that protocol come to an end in 2014; the browser vendors now want to make a similar change for TLS 1.0 and 1.1.

The impact of removing the old protocols shouldn't be too substantial. All four companies cite usage figures for the old versions; Firefox sees the most TLS 1.0 and 1.1 usage (1.4 percent of all secure connections) while the other three vendors claim a figure below 1.0 percent. The current recommendation is that sites switch to TLS 1.2 (which happens to be the minimum required for HTTP 2.0) and offer only a limited, modern set of encryption algorithms and authentication schemes. TLS 1.3 was recently finalized, but it currently has little widespread adoption.

Currently, all four companies are aiming to disable TLS 1.0 and 1.1 in March 2020 or so. This should give sites over a year to make the upgrade, and most already have. SSL Labs estimates that 94 percent of sites support 1.2 already.

Original Article

[contf] [contfnew]

Ars Technica

[contfnewc] [contfnewc]