TLS 1.0 and 1.1 to be deprecated by 2020

Earlier versions of Transport Layer Security (TLS) will be disabled on all major browsers by 2020, in a push by tech giants to modernize the cryptographic protocol.

In an announcement made yesterday, Microsoft said that TLS versions 1.0 and 1.1 would no longer be supported on Microsoft Edge and Internet Explorer as of early 2020 – a change that was echoed by consecutive statements made by Apple, Google, and Mozilla.

TLS, a web security standard now over 20 years old, ensures communications between servers and browsers are encrypted, providing users online protection from theft, forgery, and unwarranted spying.

While later versions, including and up to TLS 1.1, have no significant vulnerabilities present, consensus among security circles is that problems will arise in the future due to the poor implementation of the protocol by third parties.

To mitigate risks of SSL/TLS exploits such as BEAST, TLS 1.2, and forthcoming 1.3, will have advanced cryptography set to default for all online traffic.

“Now is the time to make this transition,” said Christopher Wood, software engineer at Apple, writing about deprecation of the older TLS versions in a blog post.

“Properly configured for App Transport Security (ATS) compliance, TLS 1.2 offers security fit for the modern web. It is the standard on Apple platforms and represents 99.6% of TLS connections made from Safari. TLS 1.0 and 1.1 — which date back to 1999 — account for less than 0.36% of all connections.”

Wood’s comment follows the release of a report by the National Institute of Standards and Technology (NIST) on the continued use of TLS, and call for all US government servers to implement TLS 1.2 by 2024.

These servers, NIST said, should be “configured with FIPS-based cipher suites”, with intent to migrate over to TLS 1.3 – the new standard proposed by the Internet Engineering Task Force (IETF) in August of this year.

“TLS 1.3 is intended to coexist with TLS 1.2 rather than replace it,” NIST added.

Mozilla notes that this change will not affect the majority of sites, as 94% have already implemented TLS 1.2, according to SSL Labs.



RELATED Not to be trusted: Mozilla delays Symantec TLS veto