16
votes
Firefox will start deprecating TLS 1.0 and 1.1 with Firefox 74, releasing on March 10, 2020
Link information
This data is scraped automatically and may be incorrect.
- Title
- It's the Boot for TLS 1.0 and TLS 1.1 - Mozilla Hacks - the Web developer blog
- Published
- Feb 6 2020
- Word count
- 667 words
This is of course good news for the security of the web, but I can already see myself being annoyed by this. I'm picturing old intranet sites like router configuration pages being a problem. Once the ability to enable insecure protocols is disabled, I can see myself needing to keep around a VM with an old copy of FF with updates disabled.
I recently encountered a similar problem with Filezilla no longer supporting obsolete or insecure ciphers while trying to SCP files to a very old, airgapped fileserver. Trying to install an old copy of filezilla led to dependency hell, so I ended up needing a whole Debian 8 VM, since I couldn't find any other way of getting files off it.
I actually just saw a specific example of this the other day. I was thinking about whether there was a good way to track games that I play, and remembered The Backloggery, a site that I used to use for that over 10 years ago.
I was looking around the site a little, and noticed that they're working on a new version. The developer made a post on Patreon a few weeks ago saying that he's worried that he's running out of time to get the new version finished, because the site currently uses TLS 1.0/1.1, and he doesn't think he'll be able to upgrade it without also breaking a lot of other things. I don't know how valid that is overall, but I also can't really judge someone for an old hobby/side-project site being a tangled mess.
Dropping support for these old versions is definitely a good thing overall, but there's at least one example of a "real" site that's getting hurt by this transition.
I'm not sure that dropping support entirely is really the right thing to do tbh. I'd much rather see them keep the capability in the browser, but just display a warning message when it's in use. Limiting the capabilities of the user is almost always a bad thing imo and especially since TLS doesn't have the kind of crippling security flaws that SSL 3 and prior do for example, it's not really justified.
I've tried disabling TLS 1.0 and 1.1 on my Firefox (stable) and browsing with it for a few weeks, the amount of websites I frequently visit that stopped working was 0 and I think I only remember 1 or 2 websites that didn't work at all. Edit: I agree with OP, it's going to be a problem for old routers and modems, but most of those can also be accessed using plain HTTP or Telnet (you shouldn't but you can still configure them if you really need to).
I was curious so I decided to try this out. Took about an hour and a half before I ran into a broken site, and I've mostly been making/eating dinner and watching youtube videos during that time.
There's an article on the front page right now about the US creating a national uranium reserve. The article claims that a great deal of uranium on the market comes from China and Russia. I always thought Canada was one of the largest exporters. I wanted to test that claim so I searched for "global uranium market" and the top result on ddg gives me:
World Nuclear Association appears to be a legitimate nonprofit entity, and their site seems pretty authoritative on these matters, it's not just some random fly-by-night blog.
I'm really glad they provide a button to enable older versions. My guess is they won't be able to remove that button for a while yet.
I run Firefox Nightly, so this has been on for me for a while. The only time I've ever seen that warning was in screenshots. I am a voracious web browser, but I tilt towards tech sites, so I'm sure my browser history is biased towards more recent stacks.
JADP.
I run into this error quite a bit in the Firefox Beta builds, actually -- maybe 3 to 5 per day. The most common offenders for me are academic and research-related sites, especially those related to academic conferences or university websites. The IEEE, surprisingly, is a common offender, even for conferences related to network security!
My hope is that once this change percolates out more, these services will be encouraged to invest the time to actually update their server configs, and we can live with it in the meantime by enabling permission versions.