DEPRECATION OF LEGACY TLS 1.0 AND 1.1 VERSIONS

Major web browser developers have announced that they will no longer support TLS 1.0 and TLS 1.1 from March 2020!

TLS 1.0 is now 21 years old and major web browser developers have made a decision to officially deprecate TLSv1.0 and TLSv1.1 in the up and coming months. 

Martin Thomson aptly wrote for the Mozilla Blog:

“In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1. On the Internet, 20 years is an eternity.  TLS 1.0 will be 20 years old in January 2019.  In that time, TLS has protected billions – and probably trillions – of connections from eavesdropping and attack.   In that time, we have collectively learned a lot about what it takes to design and build a security protocol.”

Although no major issues have been identified with TLS 1.0 the protocol is no longer PCI-DSS compliant and does contain a few flaws.   Moving to stronger, more secure protocol versions like TLS 1.2 and higher, will lead to the following benefits:

  • Support for modern cryptographic algorithms and cipher suites
  • Removal of insecure SHA1 and MD5 hash functions
  • Reduced exposure to attacks such as LongJam and Freak

The Internet Engineering Task Force (IETF) outlines the technical reason for the deprecation of the protocols in the following standards tracking documentation.

Google Chrome has always been one step ahead of other leading browsers and have announced that starting from 13 January 2020 for Chrome 79 and higher versions, a gentle “Not Secure” warning will be displayed to alert users of outdated configurations for sites using TLS 1.0 and 1.1.

Error message for sites with TSL version 1

Chrome 81 will be released in March 2020 and will begin blocking connections to sites using TLS 1.0 or 1.1, showing a full-page warning:

Now is the time to make the transition to TLS 1.2,  site administrators should immediately enable TLS 1.2 or later versions to avoid downtime and blocked connections. If you own or operate a web server that does not support TLS 1.2, please upgrade now, additionally, we encourage all sites to revisit their TLS configuration.

All browsers have jumped on board with similar announcements around the deprecation date scheduled for March 2020 ChromeEdgeSafari, Mozilla.

Written by: Megan Schutte