Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

These truly are the end times for TLS 1.0, 1.1: Firefox hopes to 'eradicate' weak HTTPS standard by blocking it

Mozilla's browser will, from March, require manual override

Mozilla Firefox will require user intervention to connect to websites using the TLS 1.0 or 1.1 protocol from March 2020 – and plans to eventually block those weak HTTPS connections entirely.

We have been hearing about issues with TLS 1.0 and 1.1 for some time. Web servers should really be using TLS 1.2 or 1.3 for their encrypted and secure HTTPS connections.

The PCI Data Security Standard (PCI DSS) for sites handling credit card transactions has required at least TLS 1.1 since 1 July 2018. That said, it is not until March this year that most users will see more than a warning in their web browser, and some browsers do not show any warning. We took a look at a website running TLS 1.0 in a variety of web browsers today. Of these:

  • Google Chrome 80 states: "Your connection to this site is not fully secure. This site uses an outdated security configuration."
  • Firefox 72 warns: "Connection not secure. This page uses weak encryption."
  • Safari 12.1 displays no warning and says: "Safari is using an encrypted connection."
  • Microsoft Edge Chromium displays no warning and says: "Connection is secure."
  • Microsoft IE 11 displays no warning and says: "This connection to the server is encrypted" (though you can block these protocols in Internet Options).
  • Brave 1.2.43 displays no warning and says: "Connection is secure."
  • Vivaldi 2.10.1745 displays no warning and says: "Connection is secure."
Safari today reports nothing amiss about a TLS 1.0 connection

Safari today reports nothing amiss about a TLS 1.0 connection

This is all about to change. Apple said: "Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020." Google has said it will remove support for TLS 1.0 and 1.1 in Chrome 81 (expected on March 17). Microsoft said it would do the same "in the first half of 2020".

The TLS warning in the forthcoming Firefox 73

The TLS warning in the forthcoming Firefox 73

Mozilla has now spelled out its approach. From next month, users hitting a site running TLS 1.0 or 1.1 will not connect immediately, but see a warning screen stating: "Secure connection failed." There is an option to override this, in which case it will be overridden for all sites.

Thyla van der Merwe, cryptography engineering manager at Mozilla, said: "We plan to keep the override button for now; the telemetry we're collecting will tell us more about how often this button is used. These results will then inform our decision regarding when to remove the button entirely. It's unlikely that the button will stick around for long. We're committed to completely eradicating weak versions of TLS."

A user has already queried why Firefox will not allow the override on a per-site basis. "We decided on a global fallback," said van der Merwe, without explaining why.

Figures from SSL Pulse show wide support for TLS 1.2

Figures from SSL Pulse show wide support for TLS 1.2

Will this cause problems? According to SSL Pulse, which gives TLS version stats based on the top 150,000 most visited websites, 96.8 per cent support TLS 1.2. That said, 71.5 per cent also support TLS 1.1 and 61.5 per cent TLS 1.0 so it is possible, but optional, to connect using these older versions.

The great majority of sites therefore are ready for the change. There can be issues for applications, though, if they connect to web services using a deprecated TLS version. For example, apps built with .NET Framework 4.5 and below do not use TLS 1.2 by default and may throw errors. It is another reason to upgrade legacy applications. Another problem is old mobile phones. Android did not support TLS 1.2 until version 4.1 (Jelly Bean) in 2012.

In the unlikely event that admins have neglected to upgrade web servers to support at least TLS 1.2, March 2020 will be the wake-up call. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like