Apple, Google, Microsoft and Mozilla all announced today that they will disable TLS versions 1.0 and 1.1 in their respective browsers by default by the first half of 2020. The TLS protocol is what browsers, instant messengers and even email servers primarily use to secure communications.
TLS 1.0, 1.1 Deprecated
Over the past few years, we’ve seen new attacks that exploit weaknesses in the design of the TLS 1.0 and TLS 1.1 protocols and algorithms that were used alongside them. These attacks include BEAST, which allows malicious actors to steal the TLS authentication tokens, Logjam and FREAK, which allow attackers to downgrade the security of a connection to a server, as well as insecure hash functions, such as MD5 and SHA-1.
In addition to all of this, the TLS 1.2 protocol is more than a decade old, so both browsers and web developers have little excuse not to use it by now. Earlier this year, the IETF also finalized the TLS 1.3 specification, which further streamlines and upgrades the TLS protocol to be stronger and less easy to break cryptographic algorithms.
What Is the TLS Protocol?
The TLS (stands for Transport Layer Security) protocol is an upgrade to the previously used Secure Sockets Layer (SSL) protocol. Netscape invented SSL because it realized that at least some uses of the internet required secure communications over computer networks.
Netscape kept SSL 1.0 private because it later learned it was deeply flawed. The company made SSL 2.0 public in 1995, but outside security researchers proved soon afterwards that it also had many flaws. In 1996, cryptographer Paul Kocher together with Netscape released version 3.0 of SSL, on top of which TLS 1.0 was developed in 1999. TLS 1.1 came in 2006 and TLS 1.2 in 2008.
Chrome 72 will stop supporting TLS 1.0 and 1.1 in the first half of next year, while Apple’s Safari, Mozilla's Firefox and Microsoft’s Edge and Internet Explorer 11 browsers will drop support for the two protocol versions a year later, in the first half of 2020.