Chrome 81 delay offers stay of execution for thousands of sites

Hundreds of thousands of websites are in the process of being marked as insecure to mainstream browser users because of their reliance on obsolete encryption protocols.

Since the mainstream release of Firefox 74 on March 10, surfers visiting any website reliant on the obsolete TLS 1.0 and 1.1 encryption protocols have been confronted with a “Secure Connection Failed” error message.

Chrome 81 – the release of which has been pushed back because of the Covid-19 pandemic – is also due to restrict access to any website reliant on the obsolete TLS 1.0 and 1.1 encryption protocols. Web users visiting these sites using Chrome 81 will be faced with full page warnings.

Web security specialists Netcraft warned earlier this month that more than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols despite receiving more than a year’s notice by the four largest browser developers.

This warning is in line with the latest stats from SSL Labs showing that 97.1% of surveyed sites support the TLS v1.2 protocol or above, with 2.9% reliant on TLS 1.1 or lower.

TLS deprecation deadlines

Mozilla, Google, Apple, and Microsoft jointly warned in October 2018 that they planned to ditch support for TLS 1.0 and TLS 1.1, technologies which date back to 1999 and 2006 respectively.

Mozilla has already applied this sanction, but Apple has said it would temporarily delay the change.

Microsoft is targeting the first half of 2020 for deprecation of sites supporting TLS 1.0 and TLS 1.1 for users of Edge and IE 11.

The latest sitrep is summarised in a blog post by Qualys SSL Labs.

The practical upshot is that the original March 2020 deadline set by browser developers more than a year ago is not going to be met. However, change is still fairly imminent and it’ll be bad news for websites still reliant on obsolete protocols.

BEASTly

Both TLS 1.0 and TLS 1.1 are showing their age, evidenced by their vulnerability to various (progressively more serious) cryptographic attacks such as BEAST and POODLE.

Websites still relying on these standards include those of major banks, retailers, news organisations, and other high-profile businesses.

“Chrome’s decision to remove these outdated protocols is a major boost for the security of its users,” Kevin Bocek, VP security strategy and threat intelligence at security vendor Venafi, said.

“Yet for the hundreds of thousands of websites that still use these machine identities, Chrome will force them into quickly replacing TLS 1.0 and 1.1 or face the prospect of greeting visitors to their websites with insecure warnings, which can damage their business as well as their credibility.”


RELATED Browser slurping takes backseat with Chrome removal of malicious extensions