Mozilla says that the support for the insecure TLS 1.0 and TLS 1.1 will be reenabled in the latest version of Firefox to maintain access to government sites with COVID19 information that haven’t yet upgraded to TLS 1.2 or TLS 1.3.
“We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information,” Mozilla said today in an update to the Firefox 74.0 release notes.
Plans to remove TLS
TLS 1.0 and TLS 1.1 support was dropped with the release of Firefox 74.0 on March 10 to improve the security of website connections, with sites that don’t support TLS 1.2 or TLS 1.3 to show a “Secure connection failed” error page instead of their contents and an override ‘Enable TLS 1.0 and 1.1’ button for that web site connection.
With more than 97% of the sites surveyed by Qualys SSL Labs supporting TLS 1.2 and TLS 1.3, the decision to retire the two protocols in favor of newer and better supported TLS 1.3 and TLS 1.3 is logical as they can provide a more secure path moving forward.
According to TLS 1.0 and TLS 1.1 usage statistics at the time, the vast majority of users are no longer even using these protocols:
- Google reported that only 0.5% of HTTPS connections made by Chrome are using TLS 1.0 or TLS 1.1
- Apple reported that on their platforms less than 0.36% of HTTPS connections made by Safari are using TLS 1.0 or TLS 1.1.
- Microsoft said that only 0.72% of secure connections made by Edge use TLS 1.0 or 1.1.
- Firefox had the largest amount of connections, with 1.2% of all connections using TLS 1.0 or 1.1.
Hundreds of thousands of sites still rely on TLS 1.0 and TLS 1.1
Despite this, as Netcraft reported at the beginning of March 2020, over 850,000 websites are still using the outdated and insecure TLS 1.0 and TLS 1.1 protocols that expose users to a wide range of cryptographic attacks (1, 2) leading to their web traffic being decrypted by attackers.
“The use of TLS 1.0 on e-commerce websites as a measure for protecting user data has been forbidden by the Payment Card Industry Data Security Standard since June 2018, and many websites have already migrated,” as Netcraft said.
However, seeing that Mozilla decided to bring back support for the two previously retired TLS protocols, there are enough government sites sharing information on the current coronavirus pandemic to a reversal of the removal decision.