Apple Ending Safari Support for TLS 1.0 and 1.1 in March 2020

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,469
8,524



Apple today announced on its WebKit blog that it is ending support for TLS 1.0 and 1.1 starting in March 2020. TLS, or Transport Layer Security, is a security protocol used to protect web traffic.

Ahead of the planned deprecation, Apple recommends apps adopt TLS 1.2, which offers "security fit for the modern web." Upgrading from TLS 1.0 and 1.1 provides the following benefits, according to Apple:
- Modern cryptographic cipher suites and algorithms with desirable performance and security properties, e.g., perfect forward secrecy and authenticated encryption, that are not vulnerable to attacks such as BEAST.
- Removal of mandatory and insecure SHA-1 and MD5 hash functions as part of peer authentication.
- Resistance to downgrade-related attacks such as LogJam and FREAK.
TLS 1.2 is the standard on Apple platforms and already represents 99.6 percent of connections made from Safari. Apple says TLS 1.0 and 1.1 account for less than 0.36 percent of all connections.

Other browsers, including Firefox, Chrome, and Microsoft's Edge, are also planning to drop TLS 1.0 and 1.1 support starting in early 2020.

Article Link: Apple Ending Safari Support for TLS 1.0 and 1.1 in March 2020
 

btrach144

macrumors 68000
Aug 28, 2015
1,630
3,585
1.0 and 1.1 have been broken for a very long time. This should absolutely be the case.
broken or just insecure? I thought 1.0 has been considered insecure for a long time. PCI compliance was updated earlier this year to require TLS 1.2.
 

eoblaed

macrumors 68020
Apr 21, 2010
2,405
1,806
broken or just insecure? I thought 1.0 has been considered insecure for a long time. PCI compliance was updated earlier this year to require TLS 1.2.
Given that the reason for TLS to exist is to securely encrypt data, and that 1.0 and 1.1 don't do that, I think that could be considered broken.
 
  • Like
Reactions: fairuz

shareef777

Suspended
Jul 26, 2005
2,443
3,218
Chicago, IL
Guess I’ll be stuck using ancient versions of chrome/Firefox for a while longer. I get the reasons, but there are use cases in the enterprise realm where we need to connect to ancient internal systems. It’s not always easy upgrading a server due to various compatibility requirements.
 

GenesisST

macrumors 68000
Jan 23, 2006
1,704
580
Where I live
Guess I’ll be stuck using ancient versions of chrome/Firefox for a while longer. I get the reasons, but there are use cases in the enterprise realm where we need to connect to ancient internal systems. It’s not always easy upgrading a server due to various compatibility requirements.
The sad part is that if one brings it up to management, they would see 2020 as very far away and would never prioritize such an upgrade, even if it was easy.

Then when 2020 comes, big surprise and everyone starts running like chicken without their heads...
 
  • Like
Reactions: Yugure and Nermal

liberte1776

macrumors regular
Apr 3, 2014
233
224
So is there a command line option to disable TLS 1.0 & 1.1 NOW?! There is no option in Safari...
 

fairuz

macrumors 68020
Aug 27, 2017
2,166
2,285
Silicon Valley
If you ask me, insecure/broken crypto should never be used. Sorry if this is presumptuous, but I'm not aware of anyone who disagrees, so I'm surprised it took so long to kill TLS 1.1.
[doublepost=1539746155][/doublepost]
Chrome is already on 1.3, but then who still uses Safari anyway.
I think Chrome still supported 1.0 until now. Same as safari.

Who uses Safari? People who want to save their battery and are aware that Chrome uses way more energy to run (at least 2X while in use and 5-10X idle). Other than that they're about the same, give or take features. Safari has Reader Mode; Chrome has cross-platform sync.
[doublepost=1539746370][/doublepost]
Guess I’ll be stuck using ancient versions of chrome/Firefox for a while longer. I get the reasons, but there are use cases in the enterprise realm where we need to connect to ancient internal systems. It’s not always easy upgrading a server due to various compatibility requirements.
Can you use plain HTTP for those? I can imagine services that _only_ have an HTTPS endpoint with TLS ≤1.1, in which case they're screwed.
[doublepost=1539746473][/doublepost]
Curious to know what would happen to the small amount of apps/pages that don't update to TLS 1.2? Will they just stop working?
When HTTPS was new, most sites let you choose whether to use it or plain HTTP. Google did this for a while. Maybe those old ones will still let you choose.
 
Last edited:

locust76

macrumors 6502a
Jan 23, 2009
678
71
Curious to know what would happen to the small amount of apps/pages that don't update to TLS 1.2? Will they just stop working?
Yep.
[doublepost=1539752957][/doublepost]
broken or just insecure? I thought 1.0 has been considered insecure for a long time. PCI compliance was updated earlier this year to require TLS 1.2.
I may be wrong, but I haven't heard anything about TLS 1.0 or 1.1 being broken... more that they're just obsolete. Better to phase them out gracefully instead of running into a brick wall at full speed like what happened with SSLv3.
[doublepost=1539752991][/doublepost]
So is there a command line option to disable TLS 1.0 & 1.1 NOW?! There is no option in Safari...
I wouldn't do that if you enjoy surfing the web.

For Windows PCs, you can direct the OS (Microsoft apps) as to which TLS versions to accept , so I would imagine for Mac it's the same.
 

shareef777

Suspended
Jul 26, 2005
2,443
3,218
Chicago, IL
If you ask me, insecure/broken crypto should never be used. Sorry if this is presumptuous, but I'm not aware of anyone who disagrees, so I'm surprised it took so long to kill TLS 1.1.
[doublepost=1539746155][/doublepost]
I think Chrome still supported 1.0 until now. Same as safari.

Who uses Safari? People who want to save their battery and are aware that Chrome uses way more energy to run (at least 2X while in use and 5-10X idle). Other than that they're about the same, give or take features. Safari has Reader Mode; Chrome has cross-platform sync.
[doublepost=1539746370][/doublepost]
Can you use plain HTTP for those? I can imagine services that _only_ have an HTTPS endpoint with TLS ≤1.1, in which case they're screwed.
[doublepost=1539746473][/doublepost]
When HTTPS was new, most sites let you choose whether to use it or plain HTTP. Google did this for a while. Maybe those old ones will still let you choose.
No, many systems are HTTPS only. On a Windows VDI that I use, I've got SeaMonkey running to get me into some systems that are so old that I can't find an older version of Chrome to work with it.
 
  • Like
Reactions: fairuz