TLS stands for Transport Layer Security, and it has a variety of versions out there in the wild. But Apple is aiming to trim the fat, so to speak.
Announced on Monday on its WebKit blog, Apple has confirmed it will be ending support for two of the security offering’s older versions. TLS 1.0 and TLS 1.1 will no longer be supported within Safari by March of 2020. The older versions of the security protocol that are designed to protect web traffic will be phased out, support wise within Safari, over the next year and additional months.
“Therefore, we are deprecating support for TLS 1.0 and 1.1. Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020. Firefox, Chrome, and Edge are also planning to drop TLS 1.0 and 1.1 support at that time. If you own or operate a web server that does not support TLS 1.2 or newer, please upgrade now. If you use legacy services or devices that cannot be upgraded, please let us know by contacting our Web Technologies Evangelist or by filing a bug report with details.”
As noted above, these older protocol versions are being dropped from the other major browsers out there as well. And, in light of the transition, Apple says the adoption of TLS 1.2 by third-party developers will provide the following:
- Modern cryptographic cipher suites and algorithms with desirable performance and security properties, e.g., perfect forward secrecy and authenticated encryption, that are not vulnerable to attacks such as BEAST.
- Removal of mandatory and insecure SHA-1 and MD5 hash functions as part of peer authentication.
- Resistance to downgrade-related attacks such as LogJam and FREAK.
Apple itself has supported TLS 1.2 now for quite some time. It already handles 99.6% of connections made from Safari:
“Now is the time to make this transition. Properly configured for App Transport Security (ATS) compliance, TLS 1.2 offers security fit for the modern web. It is the standard on Apple platforms and represents 99.6% of TLS connections made from Safari. TLS 1.0 and 1.1 — which date back to 1999 — account for less than 0.36% of all connections. With the recent finalization of TLS 1.3 by the IETF in August 2018, the proportion of legacy TLS connections will likely drop even further. TLS 1.2 is also required for HTTP/2, which delivers significant performance improvements for the web.”
A minor change, but an important one.