Firefox, Chrome, Edge, Internet Explorer, and Safari are all dropping support for older versions of the the online security protocol TLS, used in practically any encrypted exchange online. While few people or machines are using the long-unsafe TLS 1.0 and 1.1, they’re still permitted in many connections — but not for long.
Transport Layer Security is a community-developed standard that got its 1.0 release nearly 20 years ago. It and its close relative, 1.1, have known flaws that make them unsafe to use for any secure communications. 1.2 addressed these major flaws in 2008 and is currently used by the vast majority of clients. 1.3, released earlier this year, both improves and streamlines the standard, but as yet has only a limited presence online as many servers and services haven’t been updated to support it.
Mozilla, Google, Microsoft, and WebKit all made separate but similar announcements on their blogs, essentially that the old versions, 1.0 and 1.1, will be phased out by early 2020 — March specifically for some, which we can take as a general indicator for the others.
“Two decades is a long time for a security technology to stand unmodified,” wrote Microsoft’s Kyle Pflug. “While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist. Moving to newer versions helps ensure a more secure Web for everyone.”
As a user you don’t need to do a thing. The browsers and apps you use will work just as they have before — chances are they’re all using 1.2 already. Mozilla shared a chart showing that only a smattering of connections it sees use the earlier versions:
These connections, low by proportion but still numerous, could be lots of things. Legacy machines embedded here are there; old apps for which the security stack hasn’t been updated in years; hacked devices. It’s almost certainly not you or even your parents.
The long lead time is given because of the possibility (nay, inevitability) that there are some critical systems (for example in aging municipal infrastructure) that will cease to work because of this change. People need time to do a real audit, although they probably should have done it years ago.
This move should make everyone a little safer online, though everything will continue to act exactly as it did before. That’s by design.
News Source = techcrunch.com