In almost simultaneous announcements, Apple, Microsoft, and Google have announced that the older 1.0 and 1.1 versions of the Transport Layer Security (TLS) HTTPS security protocol will be deprecated in their web browsers in the first half of 2020.
The Transport Layer Security (TLS) protocol is used to encrypt and authenticate secure connections to websites around the world, and it is used for securing communications while web browsing, sending emails, instant messaging, and making voice over IP (VoIP) calls.
"As TLS 1.0 continues to age, many sites have already moved to newer versions of the protocol – data from SSL Labs shows that 94% of sites already support TLS 1.2, and less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," said Kyle Pflug, Microsoft Edge Senior Program Manager.
Furthermore, according to Apple's Christopher Wood, "TLS 1.2 offers security fit for the modern web. It is the standard on Apple platforms and represents 99.6% of TLS connections made from Safari. TLS 1.0 and 1.1 — which date back to 1999 — account for less than 0.36% of all connections."
Changing the TLS configuration to TLS 1.2 or later will come with a number of advantages for websites, among which we can count removing DROWN, FREAK, and ROBOT security attack risks and the removal of the flawed MD5 and SHA-1 hash functions from peer authentication.
The older TLS 1.0 and TLS 1.1 security protocols will be disabled by all four major web browser developers in 2020
The TLS 1.0 and 1.1 protocols will be completely disabled in Google Chrome starting January 2020, in Microsoft Edge and Internet Explorer 11 during the first half of 2020, and in Safari for macOS and iOS in March 2020.
Mozilla is yet to announce the removal of the old versions of TLS from their Firefox web browser, but as reported by ZDNet "While Mozilla did not issue a blog post about the upcoming deprecation, a Mozilla spokesperson confirmed the company will deprecate TLS 1.0 and TLS 1.1 in 2020."
As detailed in an Internet Engineering Task Force (IETF) document, "Industry has actively followed guidance provided by NIST and the PCI Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2 should remain a minimum baseline for TLS support at this time."
Therefore, new vulnerabilities are expected to emerge in older TLS versions, which will no longer be addressed by the IETF once TLS 1.0 and TLS 1.1 will be deprecated.