Slashdot Mirror
Microsoft To Disable TLS 1.0 and TLS 1.1 Support in Edge and Internet Explorer (zdnet.com)
Microsoft today said it plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer browsers by the first half of 2020. From a report: "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web," said Kyle Pflug, Senior Program Manager for Microsoft Edge. "Two decades is a long time for a security technology to stand unmodified," he said. "While we aren't aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1 [...] moving to newer versions helps ensure a more secure Web for everyone."
The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.
The move comes as the Internet Engineering Task Force (IETF) -- the organization that develops and promotes Internet standards -- is hosting discussions to formally deprecated both TLS 1.0 and 1.1. Microsoft is currently working on adding support for the official version of the recently-approved TLS 1.3 standard. Edge already supports draft versions of TLS 1.3, but not yet the final TLS 1.3 version approved in March, this year. Microsoft engineers don't seem to be losing any sleep over their decision to remove both standards from Edge and IE. The company cites public stats from SSL Labs showing that 94 percent of the Internet's sites have already moved to using TLS 1.2, leaving very few sites on the older standard versions. "Less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1," Pflug said, also citing internal stats. You can check public stats on the usage of TLS 1.0 and 1.1 here.
Edge? Awesome. Yes, please do this.
Internet Explorere!? Oh hell no!!
Seriously, the only reason why IE is still around is due to supporting legacy systems, such as networked attached hardware (printers, routers, switches, access points, security cameras, and more). Not all of these devices are on the public internet, so security concerns in that regard may not be as high. But their web based interfaces generally can not be updated, so are stuck using older protocols. What is the point of even having IE around anymore, if its one and only task (supporting legacy enterprise systems) no longer functions? If that's the case, just remove IE entirely since it'll be made worthless.
Internet Explorer on Windows XP still only supports TLS 1.0, and now even Firefox has left Windows XP the remaining 3% of people still using Windows XP are screwed. I expect even Windows 7 will be under fire when more and more TLS versions get disabled. This is all part of Microsoft’s scheme to get people to use Spydows 10.
But I bet you anything they won't include an option to override unsafe TLS versions warning, and that sucks.
In some cases, there are good reasons to visit unsafe "sites" with expired certificates, that rely on TLS 1.0, or running older Java apps that use deprecated encryption algorithms. For instance, in my company, we have over 8,000 deployed servers with various versions of Dell DRAC (versions 5, 6 and 7) that are still perfectly serviceable, but that have become a massive pain in the butt to access with modern web browsers and newer JREs: some browsers just won't allow you to "visit the page anyway" (i.e. Firefox) and newer Java versions require a bunch of really annoying privacy configurations and a slew of impossible-to-disable warning popups to let older apps runs - despite the damn DRAC apps running quite safely behind our perfectly secure corporate VPN. It's become so annoying we now distribute a dedicated Virtualbox VM with an outdated Linux distro just to be able to access older DRACs quickly.
In short, I wish developers stopped thinking they know what's good for you 100% of the time, and at least offered a configuration option to allow older, unsafe protocols to be used painlessly - even if the configuration option is difficult to set or hard to find, so long as it exists and it can be set once and for all. But they don't, because they they think they know better...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Article updated two hours after publication to include similar announcements made by Apple and Google. While Mozilla did not issue a blog post about the upcoming deprecation, a Mozilla spokesperson confirmed the company will deprecate TLS 1.0 and TLS 1.1 in 2020. The original version of this article only mentioned Microsoft plan to deprecate TLS 1.0 and TLS 1.1.
I browse on +1 so AC's need not respond, I won't see it.
We've still got a bunch of TLS 1.0 stuff because vendors don't update shit, or their update path is strictly "buy the new version" (and even when we buy the new version, we have to schedule the installation/configuration, testing, and transition).
"You mouse has moved. Windows 10 needs to reboot. [OK]"
I think Windows 10 reboots more frequently than Windows 95.
Windows 10 doesn't prompt:
Configuring new mouse position for Windows 10
55% complete
Don't turn off or try and use your computer, this will take a while
Your PC will restart several times