Now would be a good time to update your browser
With a major PCI DSS deadline looming, some older browser versions might be unable to make secure connections
I know all of you are meticulous about keeping your browsers up to date, but hypothetically, if one was running on older browser versions, perhaps on a legacy system, now would be the time to either update or upgrade. There is an important Payment Card Industry (PCI) deadline on June 30 that requires all websites that acccept payment cards (credit and debit cards) to stop supporting TLS 1.0.
That means your browser needs to support TLS 1.1 or higher to continue making secure connections with these websites. And without a secure connection, you’re not getting in.
Now, while the PCI Security Standards Council is not mandating it, it is suggesting that websites also deprecate TLS 1.1. Both TLS 1.0 and TLS 1.1 have known vulnerabilities. So the smart move would be to update, or move to a browser that supports TLS 1.2.
What are the vulnerabilies with TLS 1.0 and TLS 1.1?
There are two fairly infamous vulnerabilities that take advantage of older TLS versions and the outmoded SSL versions (3.0 and 2.0). The first is called Padding Oracle on Downgraded Legacy Encryption or POODLE. The unfortunately named attack is a form of Man in the Middle where attackers can take advantage of clients’ fallback to older SSL or TLS versions. The vulnerability originally was found to affect SSL 3.0, but a TLS exploit was disclosed soon after.
The other, Browser Exploit Against SSL/TLS or BEAST. The BEAST attack is a little more complicated and requires several conditions be met before it’s viable, but it provides a way to extract unencrypted plaintext from an encrypted connection. TLS 1.0 was vulnerable, but the issue was addressed in TLS 1.1.
Here’s how the PCI SSC put it:
Again, though the PCI DSS didn’t mandate it, the suggestion was to disable TLS 1.1, too.
Is TLS 1.2 widely supported?
Amongst modern devices and browsers? Yes. On older systems and devices? Not always. And frankly, this is an issue that has a couple of competing viewpoints. On the one hand you have the more cost-minded, business-first camp that points to the expense that would be incurred by many enterprises in upgrading all of their systems and tech. On the other hand you have the security-minded camp that rightly says not upgrading to the latest versions is playing with fire.
SSL/TLS implementations are just like any other cybersecurity product, you have to continuously update them or else you’re going to be susceptible to known exploits. Equifax got absuloutely lit up because it had failed to patch and update its systems on a regular basis. Why would your connection security not be held to the same standards?
And just to drive that point home a little further, the major update Equifax missed was less than a year old. By comparison, here’s a timeline of SSL/TLS versions:
Protocol | Published |
---|---|
SSL 1.0 | Unpublished |
SSL 2.0 | 1995 |
SSL 3.0 | 1996 |
TLS 1.0 | 1999 |
TLS 1.1 | 2006 |
TLS 1.2 | 2008 |
TLS 1.3 | 2018 |
If you glance at TLS 1.2 you will see that it was published in 2008. So, ten years ago. A decade. There really is no good excuse for anyone not to support to TLS 1.2 by now.
How do I know if I need to upgrade my browser?
If you’re running a recent version of any major browser you will be fine. But there are still some steps you can take to eliminate support for older SSL/TLS versions on the client side. Below, for each major browser you will find a table showing TLS version support across its update history, as well as how to disable support for older versions in your settings.
Google Chrome TLS Version Support
Browser | Version | Platforms | TLS protocols | ||
TLS 1.0 | TLS 1.1 | TLS 1.2 | |||
Google Chrome (Chrome for Android) |
1–9 | Windows (XP SP2+) OS X (10.7+) Linux Android (4.0+) iOS (7.0+) Chrome OS |
Yes | No | No |
10–20 | Yes | No | No | ||
21 | Yes | No | No | ||
22–25 | Yes | Yes | No | ||
26–29 | Yes | Yes | No | ||
30–32 | Yes | Yes | Yes | ||
33–37 | Yes | Yes | Yes | ||
38–39 | Yes | Yes | Yes | ||
40 | Yes | Yes | Yes | ||
41, 42 | Yes | Yes | Yes | ||
43 | Yes | Yes | Yes | ||
44 | Yes | Yes | Yes |
Here’s how to enable or disable older SSL/TLS versions on Google Chrome.
- Click the Triple-Dot icon in the top-right corner of the screen
- Select Settings
- Scroll to the bottom and click “Show Advanced Settings”
- Scroll down to “System,” click “Open Proxy Settings”
- Click the Advanced Tab all the way to the right
- Scroll to the bottom and you will see the option to use or disable TLS versions
- Make sure to disable SSL 3.0 and TLS 1.0, we suggest disabling TLS 1.1, too
- Click OK
- Restart your browser
Mozilla Firefox TLS Version Support
Browser | Version | Platforms | TLS 1.0 | TLS 1.1 | TLS 1.2 | |
Mozilla Firefox (Firefox for mobile) |
1.0 | Windows (XP SP2+) OS X (10.6+) Linux Android (2.3+) Firefox OS iOS (alpha) MaemoESR only for: Windows (XP SP2+) OS X (10.6+) Linux |
Yes | No | No | |
1.5 | Yes | No | No | |||
2 | Yes | No | No | |||
3–7 | Yes | No | No | |||
8–10 ESR 10 |
Yes | No | No | |||
11–14 | Yes | No | No | |||
15–22 | Yes | No | No | |||
ESR 17 | Yes | No | No | |||
23 | Yes | Disabled by default | No | |||
24, 25.0.0 | Yes | Disabled by default | Disabled by default | |||
25.0.1, 26 ESR 24 |
Yes | Disabled by default | Disabled by default | |||
27–33 ESR 31.0–31.2 |
Yes | Yes | Yes | |||
ESR 31.3–31.6 | Yes | Yes | Yes | |||
34, 35 | ESR 31.7 | |||||
ESR 31.8 | Yes | Yes | Yes | |||
36, 37 | 38 ESR 38.0 |
Yes | Yes | Yes | ||
ESR 38.1 | Yes | Yes | Yes | |||
39 | Yes | Yes | Yes |
Here’s how to enable or disable older SSL/TLS versions on Mozilla Firefox:
- Type About:Config into the address bar
- Click through the warning about your warranty – this won’t void it
- Select “security.tls.version.min” and double-click on it
- Change the integer in the field to 2 to disable support for all older versions up to TLS 1.2
Microsoft Internet Explorer and Edge TLS Version Support
Browser | Version | Platforms | TLS 1.0 | TLS 1.1 | TLS 1.2 | |
Microsoft Internet Explorer | 1.x | Windows 3.1,95,NT Mac OS 7, 8 |
||||
2 | No | No | No | |||
3 | No | No | No | |||
4, 5 | Windows 3.1,95, 98,NT Mac OS 7.1,8, X, Solaris,HP-UX |
Disabled by default | No | No | ||
6 | Windows 98,ME, NT,2000 | |||||
6 | Windows XP | Disabled by default | No | No | ||
6 | Server 2003 | Disabled by default | No | No | ||
7, 8 | Windows XP | Yes | No | No | ||
7, 8 | Server 2003 | Yes | No | No | ||
7, 8 | 9 | Windows Vista | Yes | No | No | |
Server 2008 | ||||||
8, 9, 10 | Windows 7 | Yes | Disabled by default | Disabled by default | ||
Server 2008 R2 | ||||||
10 | Windows 8 | Yes | Disabled by default | Disabled by default | ||
10 | Server 2012 | |||||
11 | Windows 7 | Yes | Yes | Yes | ||
Server 2008 R2 | ||||||
11 | Windows 8.1 | Yes | Yes | Yes | ||
Server 2012 R2 | ||||||
Microsoft Edge | Edge (including IE11 as fallback) |
Windows 10 (desktop/mobile) |
Yes | Yes | Yes | |
Microsoft Internet Explorer Mobile | 7, 9 | Windows Phone 7, 7.5, 7.8 | Yes | No | No | |
10 | Windows Phone 8 | Yes | Disabled by default | Disabled by default | ||
11 | Windows Phone 8.1 | Yes | Yes | Yes |
Here’s how to enable or disable older SSL/TLS versions on Microsoft Edge and Internet Explorer:
- In the menu bar, click “Tools”
- Select “Internet Options” and click the Advanced tab
- Scroll down to the Security section
- Toggle the boxes of the version you want to support, make sure to disable all old SSL versions and TLS 1.0. We suggest deprecating TLS 1.1, too.
Apple Safari TLS Version Support
Browser | Version | Platforms | TLS 1.0 | TLS 1.1 | TLS 1.2 |
Apple Safari | 1 | Mac OS X10.2, 10.3 | Yes | No | No |
2–5 | Mac OS X10.4, 10.5, Win XP | Yes | No | No | |
3–5 | Vista,Win 7 | Yes | No | No | |
4–6 | Mac OS X10.6, 10.7 | Yes | No | No | |
6 | OS X 10.8 | Yes | No | No | |
7 | OS X 10.9 | Yes | Yes | Yes | |
8 | OS X 10.10 | Yes | Yes | Yes | |
9 | OS X 10.11 | Yes | Yes | Yes | |
Apple Safari (mobile) |
3 | iPhone OS 1, 2 | Yes | No | No |
4, 5 | iPhone OS 3,iOS 4 | Yes | No | No | |
5, 6 | iOS 5, 6 | Yes | Yes | Yes | |
7 | iOS 7 | Yes | Yes | Yes | |
8 | iOS 8 | Yes | Yes | Yes | |
9 | iOS 9 | Yes | Yes | Yes |
Apple Safari doesn’t offer options for configuring SSL/TLS version support, you have to take what Apple gives you.
Final Thoughts
Part of the blame for the slow rollout of TLS 1.2 falls with the industry. We need to do a better job of educating people about connection security and why it deserves the same level of consideration as any other security implementation. Providing the best possible service doesn’t stop with the issuance of a certificate. It needs to be more holistic. TLS 1.3 is ready to go.
Let’s not wait until 2028 to start talking about making it ubiquitous.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown