It's time for TLS 1.0 and 1.1 to die (die, die)

IETF floats formal deprecation suggestion, even for failback

As TLS 1.3 inches towards publication into the Internet Engineering Task Force's RFC series, it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1.

The now-ancient versions of Transport Layer Security (dating from 1999 and 2006 respectively) are nearly gone, but stubborn enough that Dell EMC's Kathleen Moriarty and Trinity College Dublin's Stephen Farrell want it formally deprecated.

This Internet-Draft (complete with “die die die” in the URL) argues that deprecation time isn't in the future, it's now, partly because developers in recalcitrant organisations or lagging projects probably need something to convince The Boss™ it's time to move.

The last nail in the coffin would be, formally and finally, to ban application fallback to the hopelessly insecure TLS 1.0 and 1.1 standards.

Deprecation also removes any excuse for a project to demand support for all four TLS variants (up to TLS 1.3), simplifying developers' lives and reducing the risk of implementation errors.

Since the PCI Council's deprecation deadline of June 30, 2018, is fast approaching, the Draft notes that deprecation now would be timely.

The document also notes that apart from websites, organisations like 3GPP 5G, CloudFlare, Amazon and GitHub have either completed their deprecation or will finish the job by July.

The requirement itself is simple enough: “Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,01}. Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,01}. Any party receiving a Hello message with the protocol version set to {03,01} MUST respond with a 'protocol_version' alert message and close the connection.”

The publication of TLS 1.3 into the RFC stream is imminent – it's reached the last stage of the pre-publication process, author's final review. When it's published, it will carry the designation RFC 8446.

Props to Michal Špaček for noticing that the RFC's publication number carries on something of a tradition for TLS standards. ®

Send us news

Six pack of sub-Neptune exoplanets hang tight around nearby star

Their resonant orbits have remained unchanged for some 4 billion years

Nostalgia for XP sells out Microsoft's 2023 'Windows Ugly Sweater'

Bliss not your thing? You could win the Paint version

SAP faces more accusations of breaching on-prem customers' trust

Cloud-only innovation strategy slammed as users opt for on-prem and hosted support for S/4HANA

We challenged you to come up with tech predictions for 2024 (wrong answers only) – here are some favorites so far

Plus some of our own and the ugly Microsoft sweater one of you will win. Please take it off our hands...

Honda cooks up an electric motorbike menu, with sides of connectivity

Plans buffet of components you can assemble into a dream machine

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

AI offers some novel crystal materials that could form future chips, batteries, more

What's more, a robot managed to cook some of them up. So, y'know, it might not be entirely science fiction

OpenAI makes it official: Sam Altman is back as CEO

Microsoft joins the board in non-voting role

China's Loongson debuts processor that 'matches Intel silicon circa 2020'

Best not to dismiss it, as Asus looks to be onboard and advances are promised

US lawmakers have Chinese LiDAR on their threat-detection radar

Amid fears Beijing could harvest spatial data, letter suggests Huawei-style bans may be needed

Rogue ex-Motorola techie admits cyberattack on former employer, passport fraud

Pro tip: Don't use your new work email to phish your old firm

Meta yanks VR headset's strap-on booster battery after charging bricks it

A misbehaving Li-ion on your noggin - what could possibly go wrong?