TLS 1.0 and 1.1 are slated for the chopping block

General discussion about web technology.
Post Reply
barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

TLS 1.0 and 1.1 are slated for the chopping block

Post by barbaz » Fri Oct 19, 2018 6:14 pm

https://arstechnica.com/gadgets/2018/10 ... d-tls-1-0/

I can understand deprecating TLS 1.0, and in fact disable it in my own browser much of the time. But is there specific problem(s) with TLS 1.1 that result in it being deprecated as well?
*Always* check the changelogs BEFORE updating that important software!

User avatar
therube
Ambassador
Posts: 7234
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by therube » Fri Oct 19, 2018 7:23 pm

I don't recall what the reason was for 1.1.
Perhaps poodle or something like that?

Anyhow, you should be using 1.3 ;-).
(SeaMonkey 2.49 does not support the latest draft [or final]. SeaMonkey 2.53 should support the latest draft [if not the final].)

Can tls 1.3 be enabled in Fx 52.9 ESR?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3318
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by GµårÐïåñ » Fri Oct 19, 2018 7:23 pm

About time, they have coddled everyone long enough. 1.1 as vulnerable and 1.2 is the lowest secure at the moment, so might as well pull the bandaid.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by barbaz » Fri Oct 19, 2018 8:24 pm

therube wrote:Anyhow, you should be using 1.3 ;-).
I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

(FWIW Waterfox about:support says it uses NSS version 3.32.1)

EDIT It seems not supported yet. Setting security.tls.version.max to 4 and trying to connect to https://tls13.crypto.mozilla.org/ doesn't work. And TLS 1.3 final support isn't implemented in NSS until version 3.39 - https://developer.mozilla.org/docs/Mozi ... n_NSS_3.39
GµårÐïåñ wrote: 1.1 as vulnerable
What vulnerabilities specifically?
*Always* check the changelogs BEFORE updating that important software!

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3318
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by GµårÐïåñ » Fri Oct 19, 2018 9:08 pm

barbaz wrote:
therube wrote:Anyhow, you should be using 1.3 ;-).
I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.
It is in draft and while much better, has a lot of implementation to get out of the way first, 1.2 is the best and most secure hover point for now.
What vulnerabilities specifically?
More like rotted foundation, even though the structure is still standing. There is no "real" security issue in TLS 1.1 that TLS 1.2 fixes. However, there are changes and improvements, which can be argued to qualify as "fixing". Mainly: The PRF in TLS 1.1 is based on a combination of MD5 and SHA-1. Both MD5 and SHA-1 are, as cryptographic hash functions, broken. However, the way in which they are broken does not break the PRF of TLS 1.1. There is no known weakness in the PRF of TLS 1.1 (nor, for that matter, in the PRF of SSL 3.0 and TLS 1.0). Nevertheless, MD5 and SHA-1 are "bad press". TLS 1.2 replaces both with SHA-256 (well, actually it could be any other hash function, but in practice it is SHA-256).
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by barbaz » Fri Oct 19, 2018 9:47 pm

Thanks GµårÐïåñ Image
*Always* check the changelogs BEFORE updating that important software!

kukla
Senior Member
Posts: 243
Joined: Mon May 04, 2009 12:08 am

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by kukla » Tue Nov 20, 2018 10:45 pm

For Waterfox, from https://www.ssllabs.com/ssltest/viewMyClient.html

Not good if it allows 1.0. Just set security.tls to from 1 to 3 (security.tls.version.min;3)

Image

Post Reply