Apple Ending Safari Support for TLS 1.0 and 1.1 in March 2020

Discussion in 'Mac Blog Discussion' started by MacRumors, Oct 15, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Apple today announced on its WebKit blog that it is ending support for TLS 1.0 and 1.1 starting in March 2020. TLS, or Transport Layer Security, is a security protocol used to protect web traffic.

    Ahead of the planned deprecation, Apple recommends apps adopt TLS 1.2, which offers "security fit for the modern web." Upgrading from TLS 1.0 and 1.1 provides the following benefits, according to Apple:
    TLS 1.2 is the standard on Apple platforms and already represents 99.6 percent of connections made from Safari. Apple says TLS 1.0 and 1.1 account for less than 0.36 percent of all connections.

    Other browsers, including Firefox, Chrome, and Microsoft's Edge, are also planning to drop TLS 1.0 and 1.1 support starting in early 2020.

    Article Link: Apple Ending Safari Support for TLS 1.0 and 1.1 in March 2020
     
  2. martyjmclean macrumors regular

    martyjmclean

    Joined:
    Jan 24, 2018
    Location:
    Sydney, NSW, Australia
    #2
    Curious to know what would happen to the small amount of apps/pages that don't update to TLS 1.2? Will they just stop working?
     
  3. flyinmac macrumors 68040

    flyinmac

    Joined:
    Sep 2, 2006
    Location:
    United States
    #3
    Good... there’s no reason to allow less secure communication protocols to continue functioning. It defeats the purpose of implementing stronger more secure protocols if we continue allow weaker entry points to function.
     
  4. thisisnotmyname macrumors 68000

    thisisnotmyname

    Joined:
    Oct 22, 2014
    Location:
    known but velocity indeterminate
    #4
    1.0 and 1.1 have been broken for a very long time. This should absolutely be the case.
     
  5. Mr. Retrofire macrumors 603

    Mr. Retrofire

    Joined:
    Mar 2, 2010
    Location:
    www.emiliana.cl/en
    #5
  6. coolfactor macrumors 68040

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #6
    Yes. The browser would deny the request because it can not negotiate a secure connection.
     
  7. eoblaed macrumors 68020

    eoblaed

    Joined:
    Apr 21, 2010
    #7
    Essentially.

    Which is a good thing.
     
  8. btrach144 macrumors 65816

    btrach144

    Joined:
    Aug 28, 2015
    #8
    broken or just insecure? I thought 1.0 has been considered insecure for a long time. PCI compliance was updated earlier this year to require TLS 1.2.
     
  9. vmistery macrumors 6502a

    Joined:
    Apr 6, 2010
    Location:
    UK
    #9
    Honestly I’m surprised they are waiting until then. At work we went round and disable everything below 1.2 both client and server side last year once Windows Vista went out of support (the last Windows OS to not support 1.2).
     
  10. kemal macrumors 65816

    kemal

    Joined:
    Dec 21, 2001
    Location:
    Nebraska
    #10
    This is being dragged out too long. Please give us a way to ok connections to <1.2 servers.
     
  11. eoblaed macrumors 68020

    eoblaed

    Joined:
    Apr 21, 2010
    #11
    Given that the reason for TLS to exist is to securely encrypt data, and that 1.0 and 1.1 don't do that, I think that could be considered broken.
     
  12. zakarhino macrumors demi-god

    zakarhino

    Joined:
    Sep 13, 2014
    Location:
    Bay Area, CA.
    #12
    This should've been done this year or next year at the latest. 2020 is too far off.
     
  13. chrisgeleven macrumors 6502

    Joined:
    Apr 28, 2002
    Location:
    Manchester, NH
    #13
    Yep. The TLS handshake would fail and the page won't load.
     
  14. thisisnotmyname macrumors 68000

    thisisnotmyname

    Joined:
    Oct 22, 2014
    Location:
    known but velocity indeterminate
    #14
    I thought it was both, being insecure because it had been broken. I could be wrong though.
     
  15. shareef777 macrumors 68020

    shareef777

    Joined:
    Jul 26, 2005
    Location:
    Chicago, IL
    #15
    Guess I’ll be stuck using ancient versions of chrome/Firefox for a while longer. I get the reasons, but there are use cases in the enterprise realm where we need to connect to ancient internal systems. It’s not always easy upgrading a server due to various compatibility requirements.
     
  16. GenesisST macrumors 68000

    GenesisST

    Joined:
    Jan 23, 2006
    Location:
    Where I live
    #16
    The sad part is that if one brings it up to management, they would see 2020 as very far away and would never prioritize such an upgrade, even if it was easy.

    Then when 2020 comes, big surprise and everyone starts running like chicken without their heads...
     
  17. Lankyman macrumors 68000

    Joined:
    May 14, 2011
    Location:
    U.K.
    #17
    Chrome is already on 1.3, but then who still uses Safari anyway.
     
  18. liberte1776 macrumors regular

    Joined:
    Apr 3, 2014
    #18
    So is there a command line option to disable TLS 1.0 & 1.1 NOW?! There is no option in Safari...
     
  19. fairuz, Oct 16, 2018
    Last edited: Oct 16, 2018

    fairuz macrumors 68000

    fairuz

    Joined:
    Aug 27, 2017
    Location:
    San Jose and Berkeley, CA
    #19
    If you ask me, insecure/broken crypto should never be used. Sorry if this is presumptuous, but I'm not aware of anyone who disagrees, so I'm surprised it took so long to kill TLS 1.1.
    --- Post Merged, Oct 16, 2018 ---
    I think Chrome still supported 1.0 until now. Same as safari.

    Who uses Safari? People who want to save their battery and are aware that Chrome uses way more energy to run (at least 2X while in use and 5-10X idle). Other than that they're about the same, give or take features. Safari has Reader Mode; Chrome has cross-platform sync.
    --- Post Merged, Oct 16, 2018 ---
    Can you use plain HTTP for those? I can imagine services that _only_ have an HTTPS endpoint with TLS ≤1.1, in which case they're screwed.
    --- Post Merged, Oct 16, 2018 ---
    When HTTPS was new, most sites let you choose whether to use it or plain HTTP. Google did this for a while. Maybe those old ones will still let you choose.
     
  20. locust76 macrumors 6502a

    Joined:
    Jan 23, 2009
    #20
    Yep.
    --- Post Merged, Oct 16, 2018 ---
    I may be wrong, but I haven't heard anything about TLS 1.0 or 1.1 being broken... more that they're just obsolete. Better to phase them out gracefully instead of running into a brick wall at full speed like what happened with SSLv3.
    --- Post Merged, Oct 16, 2018 ---
    I wouldn't do that if you enjoy surfing the web.

    For Windows PCs, you can direct the OS (Microsoft apps) as to which TLS versions to accept , so I would imagine for Mac it's the same.
     
  21. shareef777 macrumors 68020

    shareef777

    Joined:
    Jul 26, 2005
    Location:
    Chicago, IL
    #21
    No, many systems are HTTPS only. On a Windows VDI that I use, I've got SeaMonkey running to get me into some systems that are so old that I can't find an older version of Chrome to work with it.
     
  22. fairuz macrumors 68000

    fairuz

    Joined:
    Aug 27, 2017
    Location:
    San Jose and Berkeley, CA
    #22
    That is unfortunate.
     
  23. shareef777 macrumors 68020

    shareef777

    Joined:
    Jul 26, 2005
    Location:
    Chicago, IL
    #23
    That's the wide world of enterprise. Where you'll have billion dollar organizations not want to spend $10k to rebuild/deploy an ancient and insecure system.
     

Share This Page