Tag Archives: MD5

TLS 1.0 and 1.1 Upcoming End of Support Announced

Early last week saw a coordinated effort from almost major browser vendor to follow the guidelines of the PCI-DSS standard and to end support for TLS 1.0 and 1.1

Why should this change be considered relevant?
Each of the browser vendors have worked together to create a definite timeline (starting in 2020 and complete by July 2020) for the end of support of these now obsolete security protocols. TLS 1.0 is almost 20 years old and is no longer PCI-DSS compliant.  Separately TLS 1.1 is more than 10 years old. They both contain known vulnerabilities e.g. BEAST (an attack), DROWN or FREAK (both downgrade attacks) etc. use insecure hash functions (e.g. MD5 and SHA-1) and receive very little use today:

0.4% from Apple Safari (<0.36% for all connections) (Source: WebKit)

0.5% for Google Chrome (Source: Google)

1.2% of Firefox Beta 62 during the time August-September 2018 (Source: Mozilla)

0.72% for Microsoft Edge (Source: Microsoft)

More modern standard e.g. TLS 1.2 offers improved performance when used with HTTP/2 and are PCI-DSS compliant. Moreover, it doesn’t suffer from all of the vulnerabilities affecting prior versions and includes stronger alternatives to older hash functions e.g. ECDHE_RSA_WITH_AES_128_GCM_SHA256 .

What does the future hold?
Following the recent deprecation of any standard of TLS older than 1.2 on the 30th of June this year due to the mandate set by the PCI Security Standard Council has steadily seen the increase of the recently ratified TLS 1.3 (in April 2018) but defined within (Request for Comments) RFC 8446 in August. This is in part due to a change by Mozilla to Firefox in April and the adoption of the newest standard by some popular websites e.g.:

Google’s Gmail (although the newer standard isn’t always enabled)

https://www.bleepingcomputer.com/

https://www.securityweek.com/

https://nakedsecurity.sophos.com

https://www.theregister.co.uk/

https://www.wordpress.com (which also includes this blog you are reading!)

The OpenSSL Foundation added full TLS 1.3 support to their popular cryptographic library OpenSSL with the release of version 1.1.1 in September 2018. OpenSSL are further driving adoption of the newest standard by ending support for the current long term support (LTS) version 1.0.2 by the end of 2019 (with it only receiving security updates after the 31st December 2018).

The increase in traffic is best illustrated by Mozilla showing approaching 6% usage for Firefox Beta 62 during the time August-September 2018. Such an increase is really good news for the security of the Internet specifically any online service that requests personal information and e-commerce websites in particular.

For more information on which web browsers support TLS 1.3, please see this link with a table from Salesforce illustrating browser support for TLS 1.2 here.

Thank you.