Google, Microsoft and Mozilla have each issued reprieves to Transport Layer Security (TLS) 1.0 and 1.1, aged encryption protocols that were to be bounced from browser support in March, because of the COVID-19 pandemic.
By common agreement, Google’s Chrome, Microsoft’s Internet Explorer (IE) and Edge, and Mozilla’s Firefox were to disable support for TLS 1.0 and 1.1 early in 2020. They, along with Apple – which produces Safari – announced the move a year and a half ago, noting then that the protocols had been made obsolete by TLS 1.2 and 1.3.
Apple, Google and Mozilla had committed to dropping support in March 2020, while Microsoft had only promised to purge TLS 1.0 and 1.1 sometime during the first half of this year.
But it was Microsoft that was most detailed about the TLS turnabout. “In light of current global circumstances, we will be postponing this planned change – originally scheduled for the first half of 2020,” Karl Pflug, of the Edge developer experience team, wrote in a post to a company blog.
(Microsoft has generally used the “current global circumstances” phrasing or something similar, rather than coming out and saying “COVID-19” or “coronavirus.”)
The plug-pulling of TLS 1.0 and 1.1 will only be delayed, Pflug continued. Edge – the newer, Chromium-based Edge, will reinstitute the banishment “no sooner” than Edge 84, currently slated to release around July 14. The older browsers in Microsoft’s inventory, IE11 and the legacy Edge, will disable the protocols by default as of Sept. 8.
Google will do things differently, even though, like Edge, it’s based on Chromium. Originally, Chrome 81 was to pose an interstitial warning users when they tried to reach a site encrypted with TLS 1.0 and 1.1; that version was supposed to appear March 17, but was postponed three weeks ago.
“Removal of TLS 1.0 and TLS 1.1 has been delayed to Chrome 83, which is expected to ship in late May 2020,” Google said in a document about Chrome feature and API deprecations. Chrome 83 – Google has already said it will skip version 82 – is scheduled to launch May 19.
Meanwhile, Mozilla chimed in, too, with more of an explanation than either of its rivals. Firefox 74, which debuted March 10, had disabled TLS 1.0 and TLS 1.1; sites that didn’t support TLS version 1.2 or greater showed an error page when users tried to reach them.
Mozilla rolled that change all back. “We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID-19 information,” Mozilla said in a revision to Firefox 74’s release notes. Mozilla did not cite examples of the sites it said continued to rely on the older protocols, nor set a timetable for eventually rolling back the roll-back.
Apple has not posted any news about how its Safari will deal with TLS 1.0 and 1.1 during the coronavirus crisis.
