In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the ageing and insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols.
Mozilla Firefox and Google’s Chrome developers sneaked out the move in recent days with only Microsoft Edge team bothering to formally announce the sudden reprieve on Tuesday.
In fairness, with COVID-19 throwing development schedules into minor chaos browser development teams probably have other things on their minds right now anyway.
While a temporary delay, it’s still an unexpected retreat for an industry which had showed unity in collectively deciding to banish TLS 1.0 and the lesser used TLS 1.1 by early 2020.
TLS, of course, is the protocol used to encrypt network communication, most prominently the HTTPS used by web browsers to connect securely to websites.
While TLS 1.2 and the recent 1.3 are now widely supported, versions 1.0 and 1.1 are now so old they’ve accumulated numerous weaknesses that render them insecure.
Attacks have included BEAST in 2011, Lucky Thirteen in 2013, and the POODLE SSL downgrade attack from 2014, and several others. Things got so bad the PCI DSS compliance standards were updated to insist that servers taking credit card payments stop supporting it in 2018 at the risk of big fines.
But what’s this got to do with COVID-19?
That’s less well explained, with Microsoft referring only to “current global circumstances”. Mozilla was more forthcoming:
We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.
That’s a polite way of saying that, prior to COVID-19, those sites would have been allowed to wither as users trying to visit them were confronted with warnings about the sites’ support for insecure protocols.
In other words, the seriousness of COVID-19, and the possibility that at least some people might try to visit these sites, has now overridden these concerns.
Ironically, this is the very issue that’s dogged the phasing out of support for TLS 1.0 – the annoying fact that some websites that should know better haven’t been turning off support, hence the need for browser makers to step in to do it from the client end.
The question is how long this logic can hold.
Officially, the three browser makers mentioned in this article have all said they plan to revert to plan A and drop support for TLS 1.0 and 1.1 by the late spring or summer. But what happens if COVID-19 is still a problem?
Assuming these sites offering COVID-19 advice haven’t banished TLS 1.0 and 1.1 by the cut offs, that could either force more delays or a decision to press ahead regardless.
The larger truth is abandoning anything in software has become difficult. When the moment comes, there are bound to be losers and holdouts.
It’s been the bane of operating systems, such as Windows and Android, for years. Now this phenomenon is repeating itself on a smaller scale in the normally obscure world of the protocols used to quietly secure traffic between browsers and websites.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Cassandra
to better enable access to critical government sites sharing COVID19 information
So it is government websites (presumably of otherwise previously thought reputable governments) who are dragging their heals in keeping their IT infrastructure up to date. Probably those who still use WindowsXP in “vital services”?
Can we assume that other bits of the IT infrastructure are probably equally ramshackle? Can we presume that information that we think we are getting from “critical government sites” is actually that information and not something else slipped in by “national actors” or other miscreants?
Could explain the contradictory, conflicting and changing information that I think I see coming out of my government. On the other hand, they may just be incompetent in more than IT.
(Private Frazer joke required)
John E Dunn
No special insight on this topic beyond the general observation that the US Government has a vast web infrastructure, some of it dating back many years. Upgrading all this must be a time-consuming business. Most governments that adopted the web as early as the US did will look very similar.
ITguy
Agreed. I found it strange this article offered no critique of the decrepit unsecured government websites. Just imagine if these incompetent IT teams ran our healthcare system. God forbid!
I’ll never understand why there are so many damn socialists in the tech industry. They won’t dare criticize government. They’d rather blame the private industry that pays their salaries. It’s nuts.
John E Dunn
The reason US Government websites were cited as a reason for delaying TLS 1.0 deprecation is because some of them publish important advice on COVID-19.
That’s not the same as saying these are the *only* sites with this problem. Plenty of private sector sites have the same weakness.
Dan Valentine
The issue is not that “some websites that should know better haven’t been turning off support” or “these sites offering COVID-19 advice haven’t banished TLS 1.0 and 1.1 by the cut offs”. The issue is that they have not enabled TLS 1.2 support. Websites are welcome to leave TLS 1.0 and 1.1 enabled to support older web browsers if they want to, but they need to support the newer protocol(s) so that users of modern web browsers dropping support for the older protocols can still access them.
John E Dunn
The counter argument is that leaving TLS 1.0 turned on to support older web browsers allows people to continue using a protocol everyone knows to be hugely insecure.