Skip to content
Naked Security Naked Security

Mozilla issues final warning to websites using TLS 1.0

From March, the Firefox, Chrome, Safari and Edge browsers will show warnings when users visit websites that only support TLS versions 1.0 or 1.1.

Sometime this March, the Firefox, Chrome, Safari and Edge browsers will start throwing up warnings when users visit websites that only support Transport Layer Security (TLS) versions 1.0 or 1.1.
Announced in October 2018 as part of a joint plan to phase out support, the implications for any holdout sites are stark – enable the later TLS 1.2 or, ideally, 1.3, or face having no traffic.
According to the latest Mozilla reminder, visitors using Firefox will start seeing a ‘Secure Connection Failed’ message with accompanying SSL_ERROR_UNSUPPORTED_VERSION for anyone in doubt.
Initially, it will be possible to override this but only for so long. Sooner rather than later, Mozilla says that too will disappear:

We’re committed to completely eradicating weak versions of TLS because at Mozilla we believe that user security should not be treated as optional.

Other browsers will follow suit, with the Chrome browser having adopted ‘Your connection to this site is not fully secure’ messages last month with full blocking due to begin in March.

Netscape Navigator

But why the need to ditch TLS 1.0 and 1.1?
Although not exactly a household name, TLS is the encryption protocol that makes several types of secure connection possible, including secure versions of SMTP, POP3, FTP and of, course, HTTP.
For example, when a browser visits a site using HTTPS, TLS sets up authentication, the exchange of session keys, and agreement on cipher suites.
To make all this work, both ends must also agree which version of TLS they will use, which is where the problems start for older versions.
Issue number one is the age of TLS 1.0 and 1.1.
As far as the IETF is concerned, TLS 1.0 has been around since 1999, building on technology invented years before that to work with Netscape’s famous but ancient Navigator browser.
TLS 1.1 arrived in 2006 but was quickly improved upon by TLS 1.2 two years later. We’re now up to TLS 1.3, support for which is appearing now.
Going from TLS 1.0 to 1.3 might not sound like a huge jump but TLS 1.3 is vastly more secure and more optimised for the speed of today’s internet – both valid reasons to ask sites to get rid of older versions.
It’s not clear how many sites still use TLS 1.0 and 1.1 – Google estimates around 0.75% of page loads – but even a small sliver of sites is now too many.
Judging from the sites cited by Google, most appear to be smaller domains which are either unmanaged or managed passively.
From March, for the want of an upgrade, these sites will start to suffer the consequences of that.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

1 Comment

it’s all good as far as I’m concerned but it’s going to bite a lot of public sector organisations using niche apps provided by vendors with a p### poor record of securing their apps. A colleague of mine disabled TLS v1.0 on several of our internal app servers yesterday and broke several 3rd party apps that connect to backend SQL DBs because those apps are configured to use connection drivers that need TLS v1.0. Have to be honest, I was less than sympathetic :)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?