TLS 1.0 and 1.1 are slated for the chopping block

General discussion about web technology.

TLS 1.0 and 1.1 are slated for the chopping block

Postby barbaz » Fri Oct 19, 2018 6:14 pm

https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/

I can understand deprecating TLS 1.0, and in fact disable it in my own browser much of the time. But is there specific problem(s) with TLS 1.1 that result in it being deprecated as well?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8695
Joined: Sat Aug 03, 2013 5:45 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Postby therube » Fri Oct 19, 2018 7:23 pm

I don't recall what the reason was for 1.1.
Perhaps poodle or something like that?

Anyhow, you should be using 1.3 ;-).
(SeaMonkey 2.49 does not support the latest draft [or final]. SeaMonkey 2.53 should support the latest draft [if not the final].)

Can tls 1.3 be enabled in Fx 52.9 ESR?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.5
User avatar
therube
Ambassador
 
Posts: 7170
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: TLS 1.0 and 1.1 are slated for the chopping block

Postby GµårÐïåñ » Fri Oct 19, 2018 7:23 pm

About time, they have coddled everyone long enough. 1.1 as vulnerable and 1.2 is the lowest secure at the moment, so might as well pull the bandaid.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; rv:62.0) Gecko/20100101 Firefox/66.0
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 3308
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: TLS 1.0 and 1.1 are slated for the chopping block

Postby barbaz » Fri Oct 19, 2018 8:24 pm

therube wrote:Anyhow, you should be using 1.3 ;-).

I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

(FWIW Waterfox about:support says it uses NSS version 3.32.1)

EDIT It seems not supported yet. Setting security.tls.version.max to 4 and trying to connect to https://tls13.crypto.mozilla.org/ doesn't work. And TLS 1.3 final support isn't implemented in NSS until version 3.39 - https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes#Notable_Changes_in_NSS_3.39

GµårÐïåñ wrote: 1.1 as vulnerable

What vulnerabilities specifically?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8695
Joined: Sat Aug 03, 2013 5:45 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Postby GµårÐïåñ » Fri Oct 19, 2018 9:08 pm

barbaz wrote:
therube wrote:Anyhow, you should be using 1.3 ;-).

I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

It is in draft and while much better, has a lot of implementation to get out of the way first, 1.2 is the best and most secure hover point for now.

What vulnerabilities specifically?

More like rotted foundation, even though the structure is still standing. There is no "real" security issue in TLS 1.1 that TLS 1.2 fixes. However, there are changes and improvements, which can be argued to qualify as "fixing". Mainly: The PRF in TLS 1.1 is based on a combination of MD5 and SHA-1. Both MD5 and SHA-1 are, as cryptographic hash functions, broken. However, the way in which they are broken does not break the PRF of TLS 1.1. There is no known weakness in the PRF of TLS 1.1 (nor, for that matter, in the PRF of SSL 3.0 and TLS 1.0). Nevertheless, MD5 and SHA-1 are "bad press". TLS 1.2 replaces both with SHA-256 (well, actually it could be any other hash function, but in practice it is SHA-256).
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; rv:62.0) Gecko/20100101 Firefox/66.0
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 3308
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: TLS 1.0 and 1.1 are slated for the chopping block

Postby barbaz » Fri Oct 19, 2018 9:47 pm

Thanks GµårÐïåñ Image
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8695
Joined: Sat Aug 03, 2013 5:45 pm


Return to Web Tech

Who is online

Users browsing this forum: No registered users and 1 guest