Website owners have roughly six months to upgrade or risk disruption to domain access
UPDATE Read our more recent article from February 2020 on the upcoming deprecation of TLS 1.0 and 1.1.
Mozilla has confirmed that browser support for TLS (Transport Layer Security) 1.0 and 1.1 will end from March 2020, giving webmasters little more than six months to upgrade their setups.
TLS 1.0 and 1.1 are 20 and 13 years old, respectively. Neither are compliant with today’s PCI Data Security Standards (PCI DSS) for safeguarding payment data, and they are unable to support modern cryptographic algorithms.
The protocols are vulnerable to security exploits including POODLE and BEAST, and NIST says it is not viable to patch or support TLS 1.0/1.1 further.
Developers are being urged to upgrade to TLS 1.2 or higher. Although this version was introduced a decade ago, this option remains PCI DSS compliant. TLS 1.3 is the latest available version.
Clean sweep
According to Mozilla engineer Martin Thomson, usage remains (sign-in required) at between 0.46% and 0.68% for TLS 1.0, whereas TLS 1.1 “is virtually non-existent” at 0.02%.
In a post to developers yesterday (September 12), Thomson said the telemetry data for TLS 1.0 is still “far higher” than Mozilla would usually tolerate, but measurements support the view that the number of sites that will be affected is reducing “steadily”.
As of May 2019, Tranco estimates that 8,000 out of the top one million domains are using TLS 1.1 or lower. Qualys says that 95.8% of websites support TLS 1.2.
The launch of Firefox 68 was the first step towards TLS 1.0/1.1 deprecation. Released in July, the developer tools suite used in this version of the browser warns users if they are using 1.0/1.1 and urges an immediate upgrade.
Mozilla plans to disable support for the protocols in Firefox Nightly with the release of Firefox 71. Thomson says that this should make it “more obvious when sites don’t support TLS 1.2”.
The engineer added that deprecation “does break the occasional site but it is quite rare”.
It is hoped that beta will have completely switched off support for obsolete protocols before March 2020, when the release channel of the browser will be available to the general public.
“This is a potentially disruptive change, but we believe that this is good for the security and stability of the web,” Thomson says.
Coordinated effort
The move will not only apply to Firefox. Google Chrome, Microsoft Edge and Internet Explorer 11, and Apple’s Safari browser are all due to revoke support for TLS 1.0/1.1 by 2020.
The agreement between Apple, Google, Microsoft, and Mozilla to retire support for these aging cryptographic protocols will likely be welcomed by web developers seeking a more secure internet.
“The downside of removing outdated TLS 1.0 and TLS 1.1 connections is that users will no longer be able to reach websites that are using the older TLS versions,” Jonathan Knudsen, senior security strategist at Synopsys told The Daily Swig.
“Updating is a challenge for many organizations; indeed, many exposed devices on the internet are running versions of software that are vulnerable to exploits that are months or years old.
“Instead of attempting to interoperate with older, more vulnerable software, Mozilla is correct in trying to lift the entire ecosystem to a better place.”
The confirmation of the end of support for legacy TLS protocols is not the only recent change of note made by Mozilla.
Last week, the non-profit announced the upcoming rollout of DNS-over-HTTPS as default for Firefox.
The protocol is designed to add an additional layer of security to browser sessions by hiding DNS queries inside regular HTTPS traffic.
YOU MIGHT ALSO LIKE HTTPS everywhere? Cloudflare planning improvements to middleware detection utility