back to article Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019

Sysadmins and netizens, it's time to get serious about killing off old, buggy and insecure versions of Transport Layer Security (TLS) – the encryption used to secure connections to HTTPS websites like your bank, El Reg, and so on. For one thing, web browser makers are laying out coordinated deprecation plans, meaning if your …

  1. John70

    Better shout out loud about it because you know what will happen. Big businesses will have a 11th hour panic attack when they realise their web sites will no longer be accessible and demand extra time to sort it out.

    1. Flywheel

      Management: "do we have enough money in our budget for this?"

      1. GnuTzu

        "Management: 'do we have enough money in our budget for this?'"

        Security Assessor: "do you have enough liability insurance? Do the risk/cost trade-off analysis, dammit."

  2. lybad

    Seems the Webkit people were ahead of the curve:

    "The WebKit folks also provided on Monday a longer deadline, saying support will be removed from Safari in iOS and macOS “beginning in March 2010.”"

  3. Anonymous Coward
    Anonymous Coward

    When telemetry kills you... and big data finds the wrong answers...

    Sure, just a low percentage of my browsing habits is made on hardware devices supporting only older version of TLS, because, well, it's not what I like to stare at all the day long. Just, one billion of accesses to cat images are less important than being able to configure and check devices - most of which are in private LANs behind a firewall, were encryption is still important, yet using older versions until those devices are fully retired is not a so big issue...

  4. Anonymous Coward
    Anonymous Coward

    Web browsers are not the problem

    Embedded devices and older applications are an issue, as recently as .NET 3.5 apps. Embedded devices in particular are damned expensive to replace.

    We're currently actively trying to rid a hosted platform of TLS 1.0; legacy devices will have to use HTTP if not replaced. Relatively modern apps are causing much more pain than expected, and the reason is not clear. Start now, it may take longer than you expect.

    1. phuzz Silver badge

      Re: Web browsers are not the problem

      For example we have a number of old switches and PDUs etc. which have management interfaces programmed in 2008 and never updated since. (Looking at you Zyxel, APC) Fortunately they're on the inside of our network and hopefully secure on a management-only segment.

      Which just means it's a pain when I want to go update some SNMP details and have to drop back to using IE because no other browser will let me connect.

      1. Dave K

        Re: Web browsers are not the problem

        Similar issue here when managing an old CUCM system. I'd generally be in favour of either a big screamy warning, or a whitelist for these type of sites. I'm all in favour of ditching obsolete technologies such as this, but some company-internal and other embedded stuff will be caught up in it.

      2. phuzz Silver badge
        FAIL

        Re: Web browsers are not the problem

        Update, I just checked and even IE wouldn't connect. I ended up downloading an old portable version of Firefox (from here) and disabling HTTPS altogether.

        Thanks APC!

      3. Anonymous Coward
        Anonymous Coward

        Re: Web browsers are not the problem

        There is that. I'm also thinking of embedded devices connecting over the Internet, that are only capable of using TLS 1.0. Their processing capability is insufficient to handle TLS1.2 (one example here doesn't really properly implement 1.0). Each device is of the order of a grand plus in cost, becomes pricey when a large number of sites are involved.

        No, it isn't realistic to use a VPN in this instance.

        1. Anonymous Coward
          Anonymous Coward

          This would be easy to fix

          By default, browsers should skip warnings about "insecure" TLS/SSL (or requiring https at all) for anything which resolves to a private network 10/8 or 192.168/16 address.

          Old devices that can't be updated will be around for years, people shouldn't have to keep around an outdated browser just to access them.

    2. Gerhard Mack

      Re: Web browsers are not the problem

      We kept a VM with an old version of Windows just for internal management stuff. I mean, even some of the most recent (and expensive) purchases (I mean YOU Broadcom) don't handle modern browsers very well. Some of our 2017 purchases still required a working Java plugin with no web start option.

  5. fnusnu

    It's been educational to set firefox to allow TLS1.2 only and see what breaks.

    1. Anonymous Coward
      Anonymous Coward

      I set Firefox for this about a month ago and have hardly noticed anything breaking (even El Reg works):

      http://kb.mozillazine.org/Security.tls.version.*

      Personally, I welcome our more strict and secure TLS overlords.

      1. Anonymous Coward
        Anonymous Coward

        "have hardly noticed anything breaking"

        If you just consume web sites, you're probably right - and I'm sure porn sites are very careful their dedicated users can easily access them.

        As outlined above, it's a lot of embedded management applications that will break, and many of them cannot be updated bur replacing the whole device - something that is not always possible.

        There's a risk that to keep on using them, you have to disable TLS wholly -. which actually decrease security far more than using an older version.

  6. 0laf

    Legacy apps will be an issue. Plenty of very large companies dislike keeping their shit current as long as they can pass the risk and cost onto their customers.

    I dearly hope that one of them will cop a big GDPR fine for failing to do this sooner rather than later and they'll get the idea they they are actually responsible for maintaining their products and their customers shouldn't need to compromise their own networks to make their shit function.

  7. Lee D Silver badge

    Do me a favour - someone tell the banks and places like BACS.

    I'm tired of dealing with their obsolete junk that only works in IE and so on, competing - and incompatible - versions of smartcard software required (one that works in Chrome, one that doesn't, etc. but you can't have both at the same time) and everything else.

    The only place I've ever left the services of for not understanding basic online security was a bank.

    They really need to get on board and make things easy for their customers, especially business.

    1. A Known Coward

      Mind naming and shaming those banks? I've never had a problem with my banks in the last 10 years - before that it was a minefield of dodgy Java and activeX extensions - which was a problem for me on Linux. I regularly move my money around to where I'm getting the best deals, so a list of banks to avoid would be useful information.

  8. Anonymous Coward
    Anonymous Coward

    Looks like IE8-IE10 only support TLS1.2 if you manually tell them to. Maybe we'll finally get rid of them.

    ( to be fair, we only grudgingly support IE10 nowadays, but there's one bank who still insist things work in IE7... )

  9. Reality Dysfunction
    FAIL

    Fail is somewhere?

    The Blog indicates early in 2020, article early 2019?

    "Microsoft noted on Monday that fewer than “one per cent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.” Edge and Internet Explorer will ditch their TLS 1.0 and 1.1 support in the first half of next year, Redmond said, which puts the software giant ahead of the pack, since the other major browsers will start the process in 2020."

  10. Edward Noel

    Deprecate?

    deprecate (verb): express disapproval of

    deprecation (noun): the act or an instance of belittling

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like