End of Support for the TLS 1.0 and TLS 1.1 Protocols
2/12/2020
End of Support for the TLS 1.0 and TLS 1.1 Protocols

For quite some time now, we have been seeing gradual withdrawal from TLS 1.0 and TLS 1.1. During the celebration of the protocol's 20th anniversary, Microsoft, Google, Mozilla, and Apple announced their intention to stop supporting TLS1.0 and TLS 1.1 for the Edge, Chrome, Firefox, and Safari browsers in the first quarter of 2020. Naturally, end of support has not been announced only by the companies developing web browsers, but by others as well. These include for example Cisco, which announced the end of support for older TLS versions as of March 31, 2020.

The first version of the TLS (Transport Layer Security) protocol was introduced to the world in 1999, as the successor to the SSL protocol from 1996. At present, the most advanced version is TLS 1.3, the previous two being susceptible to great variety of attacks, such as BEAST or POODLE. One of the most important uses of TLS is its "connection" with http, giving us (simply put) https as a result.

The most commonly used version of TLS today is TLS 1.2 (see below). The main differences when compared to the older versions include, for example, MD5 / SHA1 in PRF replaced by SHA-256 or support of authenticated encryption for data modes. The third version of TLS is nothing new on this planet, its launch took place way back in 2008.

In 2018, Google made an announcement that only 0.5% of all HTTPS connections to the Chrome browser was established using the TLS 1.0 or TLS 1.1 protocol. In 2020, this ratio further decreased to 0.3%. Based on the data from August to September 2018, Mozilla could boast of 1.11% for TLS 1.0 and 0.09% for TLS 1.1. However, for the period of January to February 2020, we are getting as low as 0.26% for TLS 1.0 and 0.01% for TLS 1.1.


 TLS 1.0 a 1.1

The above-mentioned declining ratios show that both protocols are being abandoned and their newer version dominate in vast majority of cases.

However, in case a server is still supporting the said protocols, this fact can be exploited by an attacker who can use them instead of the newer versions. Therefore, disabling old protocols on the server is recommended, which may however prevent some browsers from connecting. This behaviour can be tested for example by a ssltest (https://www.ssllabs.com/ssltest/). Note that none of the modern browsers require an old TLS version.

Administrators had a relatively long time to make the switch. However, if they have loitered until now, they have about a month to remedy this situation. Otherwise, starting from March, they would have to prepare for potential impacts, such the sites they are operating being unavailable.

Our recommendation is thus simple: check the TLS version on your servers as soon as possible and if needed, switch to a newer one. This said, we at AEC will of course be happy to assist you with the status analysis and risk mitigation.

 

David Pecl

Jakub Rubáš
Security Specialist

AEC a.s.
Security Technologies Division