Page 1 of 1

TLS 1.0 and 1.1 are slated for the chopping block

Posted: Fri Oct 19, 2018 6:14 pm
by barbaz
https://arstechnica.com/gadgets/2018/10 ... d-tls-1-0/

I can understand deprecating TLS 1.0, and in fact disable it in my own browser much of the time. But is there specific problem(s) with TLS 1.1 that result in it being deprecated as well?

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Fri Oct 19, 2018 7:23 pm
by therube
I don't recall what the reason was for 1.1.
Perhaps poodle or something like that?

Anyhow, you should be using 1.3 ;-).
(SeaMonkey 2.49 does not support the latest draft [or final]. SeaMonkey 2.53 should support the latest draft [if not the final].)

Can tls 1.3 be enabled in Fx 52.9 ESR?

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Fri Oct 19, 2018 7:23 pm
by GµårÐïåñ
About time, they have coddled everyone long enough. 1.1 as vulnerable and 1.2 is the lowest secure at the moment, so might as well pull the bandaid.

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Fri Oct 19, 2018 8:24 pm
by barbaz
therube wrote:Anyhow, you should be using 1.3 ;-).
I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

(FWIW Waterfox about:support says it uses NSS version 3.32.1)

EDIT It seems not supported yet. Setting security.tls.version.max to 4 and trying to connect to https://tls13.crypto.mozilla.org/ doesn't work. And TLS 1.3 final support isn't implemented in NSS until version 3.39 - https://developer.mozilla.org/docs/Mozi ... n_NSS_3.39
GµårÐïåñ wrote: 1.1 as vulnerable
What vulnerabilities specifically?

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Fri Oct 19, 2018 9:08 pm
by GµårÐïåñ
barbaz wrote:
therube wrote:Anyhow, you should be using 1.3 ;-).
I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.
It is in draft and while much better, has a lot of implementation to get out of the way first, 1.2 is the best and most secure hover point for now.
What vulnerabilities specifically?
More like rotted foundation, even though the structure is still standing. There is no "real" security issue in TLS 1.1 that TLS 1.2 fixes. However, there are changes and improvements, which can be argued to qualify as "fixing". Mainly: The PRF in TLS 1.1 is based on a combination of MD5 and SHA-1. Both MD5 and SHA-1 are, as cryptographic hash functions, broken. However, the way in which they are broken does not break the PRF of TLS 1.1. There is no known weakness in the PRF of TLS 1.1 (nor, for that matter, in the PRF of SSL 3.0 and TLS 1.0). Nevertheless, MD5 and SHA-1 are "bad press". TLS 1.2 replaces both with SHA-256 (well, actually it could be any other hash function, but in practice it is SHA-256).

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Fri Oct 19, 2018 9:47 pm
by barbaz
Thanks GµårÐïåñ Image

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Tue Nov 20, 2018 10:45 pm
by kukla
For Waterfox, from https://www.ssllabs.com/ssltest/viewMyClient.html

Not good if it allows 1.0. Just set security.tls to from 1 to 3 (security.tls.version.min;3)

Image

Re: TLS 1.0 and 1.1 are slated for the chopping block

Posted: Sun Jan 27, 2019 5:45 pm
by grahamperrin
barbaz wrote:
Fri Oct 19, 2018 8:24 pm
… status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

(FWIW Waterfox about:support says it uses NSS version 3.32.1) …
Hi, FYI https://github.com/MrAlex94/Waterfox/is ... -449894974