Now would be a good time to update your browser
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Now would be a good time to update your browser

With a major PCI DSS deadline looming, some older browser versions might be unable to make secure connections

I know all of you are meticulous about keeping your browsers up to date, but hypothetically, if one was running on older browser versions, perhaps on a legacy system, now would be the time to either update or upgrade. There is an important Payment Card Industry (PCI) deadline on June 30 that requires all websites that acccept payment cards (credit and debit cards) to stop supporting TLS 1.0.

That means your browser needs to support TLS 1.1 or higher to continue making secure connections with these websites. And without a secure connection, you’re not getting in.

Now, while the PCI Security Standards Council is not mandating it, it is suggesting that websites also deprecate TLS 1.1. Both TLS 1.0 and TLS 1.1 have known vulnerabilities. So the smart move would be to update, or move to a browser that supports TLS 1.2.

What are the vulnerabilies with TLS 1.0 and TLS 1.1?

There are two fairly infamous vulnerabilities that take advantage of older TLS versions and the outmoded SSL versions (3.0 and 2.0). The first is called Padding Oracle on Downgraded Legacy Encryption or POODLE. The unfortunately named attack is a form of Man in the Middle where attackers can take advantage of clients’ fallback to older SSL or TLS versions. The vulnerability originally was found to affect SSL 3.0, but a TLS exploit was disclosed soon after.

The other, Browser Exploit Against SSL/TLS or BEAST. The BEAST attack is a little more complicated and requires several conditions be met before it’s viable, but it provides a way to extract unencrypted plaintext from an encrypted connection. TLS 1.0 was vulnerable, but the issue was addressed in TLS 1.1.

Here’s how the PCI SSC put it:

According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

Again, though the PCI DSS didn’t mandate it, the suggestion was to disable TLS 1.1, too.

Is TLS 1.2 widely supported?

Amongst modern devices and browsers? Yes. On older systems and devices? Not always. And frankly, this is an issue that has a couple of competing viewpoints. On the one hand you have the more cost-minded, business-first camp that points to the expense that would be incurred by many enterprises in upgrading all of their systems and tech. On the other hand you have the security-minded camp that rightly says not upgrading to the latest versions is playing with fire.

SSL/TLS implementations are just like any other cybersecurity product, you have to continuously update them or else you’re going to be susceptible to known exploits. Equifax got absuloutely lit up because it had failed to patch and update its systems on a regular basis. Why would your connection security not be held to the same standards?

And just to drive that point home a little further, the major update Equifax missed was less than a year old. By comparison, here’s a timeline of SSL/TLS versions:

Protocol Published
SSL 1.0 Unpublished
SSL 2.0 1995
SSL 3.0 1996
TLS 1.0 1999
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 2018

If you glance at TLS 1.2 you will see that it was published in 2008. So, ten years ago. A decade. There really is no good excuse for anyone not to support to TLS 1.2 by now.

How do I know if I need to upgrade my browser?

If you’re running a recent version of any major browser you will be fine. But there are still some steps you can take to eliminate support for older SSL/TLS versions on the client side. Below, for each major browser you will find a table showing TLS version support across its update history, as well as how to disable support for older versions in your settings.

Google Chrome TLS Version Support

Browser Version Platforms TLS protocols
TLS 1.0 TLS 1.1 TLS 1.2
Google Chrome
(Chrome for Android)
1–9 Windows (XP SP2+)
OS X (10.7+)
Linux
Android (4.0+)
iOS (7.0+)
Chrome OS
Yes No No
10–20 Yes No No
21 Yes No No
22–25 Yes Yes No
26–29 Yes Yes No
30–32 Yes Yes Yes
33–37 Yes Yes Yes
38–39 Yes Yes Yes
40 Yes Yes Yes
41, 42 Yes Yes Yes
43 Yes Yes Yes
44 Yes Yes Yes

Here’s how to enable or disable older SSL/TLS versions on Google Chrome.

  1. Click the Triple-Dot icon in the top-right corner of the screen
  2. Select Settings
  3. Scroll to the bottom and click “Show Advanced Settings”
  4. Scroll down to “System,” click “Open Proxy Settings”
  5. Click the Advanced Tab all the way to the right
  6. Scroll to the bottom and you will see the option to use or disable TLS versions
  7. Make sure to disable SSL 3.0 and TLS 1.0, we suggest disabling TLS 1.1, too
  8. Click OK
  9. Restart your browser

Mozilla Firefox TLS Version Support

Browser Version Platforms TLS 1.0 TLS 1.1 TLS 1.2
Mozilla Firefox
(Firefox for mobile)
1.0 Windows (XP SP2+)
OS X (10.6+)
Linux
Android (2.3+)
Firefox OS
iOS (alpha)
MaemoESR only for:
Windows (XP SP2+)
OS X (10.6+)
Linux
Yes No No
1.5 Yes No No
2 Yes No No
3–7 Yes No No
8–10
ESR 10
Yes No No
11–14 Yes No No
15–22 Yes No No
ESR 17 Yes No No
23 Yes Disabled by default No
24, 25.0.0 Yes Disabled by default Disabled by default
25.0.1, 26
ESR 24
Yes Disabled by default Disabled by default
27–33
ESR 31.0–31.2
Yes Yes Yes
ESR 31.3–31.6 Yes Yes Yes
34, 35 ESR 31.7
ESR 31.8 Yes Yes Yes
36, 37 38
ESR 38.0
Yes Yes Yes
ESR 38.1 Yes Yes Yes
39 Yes Yes Yes

Here’s how to enable or disable older SSL/TLS versions on Mozilla Firefox:

  1. Type About:Config into the address bar
  2. Click through the warning about your warranty – this won’t void it
  3. Select “security.tls.version.min” and double-click on it
  4. Change the integer in the field to 2 to disable support for all older versions up to TLS 1.2

Microsoft Internet Explorer and Edge TLS Version Support

Browser Version Platforms TLS 1.0 TLS 1.1 TLS 1.2
Microsoft Internet Explorer 1.x Windows 3.1,95,NT
Mac OS 7, 8
2 No No No
3 No No No
4, 5 Windows 3.1,95, 98,NT
Mac OS 7.1,8, X,
Solaris,HP-UX
Disabled by default No No
6 Windows 98,ME, NT,2000
6 Windows XP Disabled by default No No
6 Server 2003 Disabled by default No No
7, 8 Windows XP Yes No No
7, 8 Server 2003 Yes No No
7, 8 9 Windows Vista Yes No No
Server 2008
8, 9, 10 Windows 7 Yes Disabled by default Disabled by default
Server 2008 R2
10 Windows 8 Yes Disabled by default Disabled by default
10 Server 2012
11 Windows 7 Yes Yes Yes
Server 2008 R2
11 Windows 8.1 Yes Yes Yes
Server 2012 R2
Microsoft Edge Edge
(including IE11 as fallback)
Windows 10
(desktop/mobile)
Yes Yes Yes
Microsoft Internet Explorer Mobile 7, 9 Windows Phone 7, 7.5, 7.8 Yes No No
10 Windows Phone 8 Yes Disabled by default Disabled by default
11 Windows Phone 8.1 Yes Yes Yes

Here’s how to enable or disable older SSL/TLS versions on Microsoft Edge and Internet Explorer:

  1. In the menu bar, click “Tools”
  2. Select “Internet Options” and click the Advanced tab
  3. Scroll down to the Security section
  4. Toggle the boxes of the version you want to support, make sure to disable all old SSL versions and TLS 1.0. We suggest deprecating TLS 1.1, too.

Apple Safari TLS Version Support

Browser Version Platforms TLS 1.0 TLS 1.1 TLS 1.2
Apple Safari 1 Mac OS X10.2, 10.3 Yes No No
2–5 Mac OS X10.4, 10.5, Win XP Yes No No
3–5 Vista,Win 7 Yes No No
4–6 Mac OS X10.6, 10.7 Yes No No
6 OS X 10.8 Yes No No
7 OS X 10.9 Yes Yes Yes
8 OS X 10.10 Yes Yes Yes
9 OS X 10.11 Yes Yes Yes
Apple Safari
(mobile)
3 iPhone OS 1, 2 Yes No No
4, 5 iPhone OS 3,iOS 4 Yes No No
5, 6 iOS 5, 6 Yes Yes Yes
7 iOS 7 Yes Yes Yes
8 iOS 8 Yes Yes Yes
9 iOS 9 Yes Yes Yes

Apple Safari doesn’t offer options for configuring SSL/TLS version support, you have to take what Apple gives you.

Final Thoughts

Part of the blame for the slow rollout of TLS 1.2 falls with the industry.  We need to do a better job of educating people about connection security and why it deserves the same level of consideration as any other security implementation. Providing the best possible service doesn’t stop with the issuance of a certificate. It needs to be more holistic. TLS 1.3 is ready to go.

Let’s not wait until 2028 to start talking about making it ubiquitous.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.