The days of old TLS versions are nigh. All major web browsers - Safari, Mozilla, Chrome, and Edge - will disable support of TLS 1.0 and TLS 1.1. The old and insecure versions of SSL protocols.
Browsers will phase out the old versions this and next months. According to Netcraft and ZD Net, this change will affect websites for major banks, governments, news organizations, telecoms, e-commerce stores, and internet communities.
This step is a planned change that was announced back in November 2018. At the time the statistics of the SSL versions were as follows:
- Safari - TLS 1.2 was used on 99.6% of connections. TLS 1.0 and 1.1 planned for March 2020.
- Chrome - 99.5% of connections with TLS1.2 or TLS1.3. Warnings from version 72, disabling planned for January 2020.
- Edge and Explorer 11 - planned to disable TLS 1.0 and 1.1 in the first half of 2020.
- Firefox - planned to disable support of TLS1.0 and TLS1.1 in March 2020.
Upgrade from TLS1.1 to TLS1.2 allows using new encryption algorithms and deprecation of weak functions MD5 and SHA1. The latter have practical attacks where the reward is sufficiently high and where the attacked data has long-term validity (like SSL certificates). Having said that big companies are still using SHA-1 on their TLS-based servers, including Google who invested in SHA-1 attacks to encourage the use of new encryption methods.
TLS1.0 contains a vulnerability allowing downgrade of the protocol to the insecure SSL3.0 (that was first implemented in 1996 still as a Mozilla "standard"). As a result, attackers can force the use of keys that can be broken in hours or less.
What will practically happen? Browsers will start showing full-page warnings - similar to expired certificates and prohibiting access to servers with old versions of TLS. This means that around 5,000 of the top 1,000,0000 web sites still using old protocols will become inaccessible unless they complete an upgrade in the coming days.
Full page warning in the new Mozilla browser.
The most recent update clarifies the dates of complete deprecation of TLS1.0 and TLS1.1, which will happen in the next upgrades of Chrome (version 81) and Firefox (version 74). Releases of these versions are scheduled for later this month.
Safari will follow suit this month as well, although no recent update has been given. Microsoft will join other browsers with its browser Edge (version 82) at the end of April.
You have better things to do, Let KEYCHEST look after your certs. KeyChest with its global database of web certificates can instantly create an initial "big picture" so you can start analyzing your exposure to cyber attacks and adjust it according to your risk appetite.