Bulletproof TLS Newsletter #46
The end of TLS 1.0 and 1.1
30 October 2018
Author: Hanno Böck

This issue was distributed to 47,601 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. The end of TLS 1.0 and 1.1
  2. Short news

The end of TLS 1.0 and 1.1

The four largest browser vendors—Google, Microsoft, Mozilla, and Apple—have all announced that in 2020 they want to deprecate old TLS protocol versions 1.0 and 1.1. Webmasters should make sure that they support at least TLS 1.2, or ideally the latest version, TLS 1.3.

Although TLS 1.0 and 1.1 do have some security issues, it’s debatable how severe they are. TLS 1.0 is vulnerable to the BEAST attack, but that can be mitigated relatively easily by clients. Both TLS 1.0 and 1.1 use insecure hash functions like MD5 and SHA1, a detail that has been explored in the SLOTH attack.

Browser vendors still have not moved to deprecate weak cipher modes that are still supported in TLS 1.2—notably, CBC/HMAC with MAC-then-encrypt and the static RSA handshake. However, Google’s announcement indicates that further deprecations will follow and recommends supporting AEAD modes and the ECDHE key exchange.

It’s noteworthy that four major browser vendors have coordinated their efforts to deprecate old encryption protocols. This is likely due to past discussions in which such deprecations were met with resistance because when one browser vendor moves ahead, it could make users switch to another browser. Although their timelines aren’t fully aligned, the coordinated deprecation will make such scenarios less worrying for the vendors.

Short news