TLS 1.0 and 1.1 are slated for the chopping block

General discussion about web technology.
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

TLS 1.0 and 1.1 are slated for the chopping block

Post by barbaz »

https://arstechnica.com/gadgets/2018/10 ... d-tls-1-0/

I can understand deprecating TLS 1.0, and in fact disable it in my own browser much of the time. But is there specific problem(s) with TLS 1.1 that result in it being deprecated as well?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by therube »

I don't recall what the reason was for 1.1.
Perhaps poodle or something like that?

Anyhow, you should be using 1.3 ;-).
(SeaMonkey 2.49 does not support the latest draft [or final]. SeaMonkey 2.53 should support the latest draft [if not the final].)

Can tls 1.3 be enabled in Fx 52.9 ESR?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.5
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by GµårÐïåñ »

About time, they have coddled everyone long enough. 1.1 as vulnerable and 1.2 is the lowest secure at the moment, so might as well pull the bandaid.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; rv:62.0) Gecko/20100101 Firefox/66.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by barbaz »

therube wrote:Anyhow, you should be using 1.3 ;-).
I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

(FWIW Waterfox about:support says it uses NSS version 3.32.1)

EDIT It seems not supported yet. Setting security.tls.version.max to 4 and trying to connect to https://tls13.crypto.mozilla.org/ doesn't work. And TLS 1.3 final support isn't implemented in NSS until version 3.39 - https://developer.mozilla.org/docs/Mozi ... n_NSS_3.39
GµårÐïåñ wrote: 1.1 as vulnerable
What vulnerabilities specifically?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by GµårÐïåñ »

barbaz wrote:
therube wrote:Anyhow, you should be using 1.3 ;-).
I have no idea the status of TLS 1.3 support in Waterfox. It's at least not enabled by default.
It is in draft and while much better, has a lot of implementation to get out of the way first, 1.2 is the best and most secure hover point for now.
What vulnerabilities specifically?
More like rotted foundation, even though the structure is still standing. There is no "real" security issue in TLS 1.1 that TLS 1.2 fixes. However, there are changes and improvements, which can be argued to qualify as "fixing". Mainly: The PRF in TLS 1.1 is based on a combination of MD5 and SHA-1. Both MD5 and SHA-1 are, as cryptographic hash functions, broken. However, the way in which they are broken does not break the PRF of TLS 1.1. There is no known weakness in the PRF of TLS 1.1 (nor, for that matter, in the PRF of SSL 3.0 and TLS 1.0). Nevertheless, MD5 and SHA-1 are "bad press". TLS 1.2 replaces both with SHA-256 (well, actually it could be any other hash function, but in practice it is SHA-256).
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; rv:62.0) Gecko/20100101 Firefox/66.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by barbaz »

Thanks GµårÐïåñ Image
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by kukla »

For Waterfox, from https://www.ssllabs.com/ssltest/viewMyClient.html

Not good if it allows 1.0. Just set security.tls to from 1 to 3 (security.tls.version.min;3)

Image
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0; Waterfox) Gecko/20100101 Firefox/56.2.5
grahamperrin
Posts: 11
Joined: Sun Jan 27, 2019 5:39 pm

Re: TLS 1.0 and 1.1 are slated for the chopping block

Post by grahamperrin »

barbaz wrote: Fri Oct 19, 2018 8:24 pm … status of TLS 1.3 support in Waterfox. It's at least not enabled by default.

(FWIW Waterfox about:support says it uses NSS version 3.32.1) …
Hi, FYI https://github.com/MrAlex94/Waterfox/is ... -449894974
Mozilla/5.0 (X11; FreeBSD amd64; rv:65.0) Gecko/20100101 Firefox/65.0 Waterfox/56.2.7
Post Reply