Firefox, Chrome, Safari and Edge Dropping TLS 1.0, 1.1

Apple, GoogleMicrosoft and Mozilla all announced today that they will disable TLS versions 1.0 and 1.1 in their respective browsers by default by the first half of 2020. The TLS protocol is what browsers, instant messengers and even email servers primarily use to secure communications.

TLS 1.0, 1.1 Deprecated

Over the past few years, we’ve seen new attacks that exploit weaknesses in the design of the TLS 1.0 and TLS 1.1 protocols and algorithms that were used alongside them. These attacks include BEAST, which allows malicious actors to steal the TLS authentication tokens, Logjam and FREAK, which allow attackers to downgrade the security of a connection to a server, as well as insecure hash functions, such as MD5 and SHA-1.

In addition to all of this, the TLS 1.2 protocol is more than a decade old, so both browsers and web developers have little excuse not to use it by now. Earlier this year, the IETF also finalized the TLS 1.3 specification, which further streamlines and upgrades the TLS protocol to be stronger and less easy to break cryptographic algorithms.

What Is the TLS Protocol?

The TLS (stands for Transport Layer Security) protocol is an upgrade to the previously used Secure Sockets Layer (SSL) protocol. Netscape invented SSL because it realized that at least some uses of the internet required secure communications over computer networks.

Netscape kept SSL 1.0 private because it later learned it was deeply flawed. The company made SSL 2.0 public in 1995, but outside security researchers proved soon afterwards that it also had many flaws. In 1996, cryptographer Paul Kocher together with Netscape released version 3.0 of SSL, on top of which TLS 1.0 was developed in 1999. TLS 1.1 came in 2006 and TLS 1.2 in 2008.

Chrome 72 will stop supporting TLS 1.0 and 1.1 in the first half of next year, while Apple’s Safari, Mozilla's Firefox and Microsoft’s Edge and Internet Explorer 11 browsers will drop support for the two protocol versions a year later, in the first half of 2020.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Co BIY
    Do users or developers need to do something in response to this change ? Will most people even notice?

    Article seems to be a paragraph short.
  • Dave_135
    Nice Article if your Windows 10 User. But I for 1 think Windows 10 Sucks totally! We Have 3 Computers in this house, My Desktop, called the Video Editing Beast, It has Linux Mint 19 Tara and Windows 7 Pro, then there is the Laptop Hooked to our HD TV, I runs Linux Mint 18.3 Cinnamon and Windows 10. Then we have a Laptop set on a Folding wooden table, it is older HP Model, 32 Bit and I have it running Linux Mint 19 Tara. Usage on all 3 machines on the desktop, Linux Mint gets used about 80% of the time, Windows the rest, on the TV Computer, windows gets about 70% and Linux mint gets the rest. And HP laptop, since Linux Mint 19 Tara has came out, that is all it runs, when I got it had Windows 8 running on it, that was worse that Windows 10. But Windows 10 is still the worst Operating System ever made in My Opinion. The update procedure is nuts as compared to Linux Mint. Updating A Windows 10 computer takes about 20 to 30 minutes of time, Linux mint, I may Install updates 3 times a day and it does not effect my workflow.
  • mdarrish
    DAVE-135: Windows 10 is ugly and many aspects of it indeed suck. M$ has been on a downhill slide since Windows 8. However, Windows ME (ironically named Millenium Edition), sucked equally as much as 10, IMHO.
  • cryoburner
    But... This article has nothing to do with Windows. >_>
  • hannibal
    Those who has web Pages has to upgrade them so that They Are not using TLS 1.0 or 1.1 or their webpages can not be Viewed any more in the future.
    To the customers, no need to do anything unless you favorite websites stop from being available. Then you have to roll back to old webbrowser to see those Pages!
  • stdragon
    For 99.99% of the population out there, this is a non-issue. But for those that have to support vendor server-side and appliance applications that requires HTTPS administration, it's going to suck...badly.

    Basically that translates to using an older version of a browser until management can cough up the money to supply IT with a workable budget to upgrade said back-end services.
  • Kerri B
    21405390 said:
    Do users or developers need to do something in response to this change ? Will most people even notice?

    Article seems to be a paragraph short.

    Apple, Google, and Microsoft, we know, are about as corrupt as they come. Now, for Mozilla to get in with that bunch says it all. All these 'people' want to do is spy on other people for the almighty buck. Seems everyone wants to get in on it while the gettings good. I'm completely sickened by it all. Oh, and we can throw Twitter, FB, and more for good measure.

    So, you ask what we should do. I say that those of us that don't want our privacy taken, get offline, even then, that's not full proof either.:fou: