COVID-19 forces browser makers to continue supporting TLS 1.0

In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the ageing and insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols.

Mozilla Firefox and Google’s Chrome developers sneaked out the move in recent days with only Microsoft Edge team bothering to formally announce the sudden reprieve on Tuesday.

In fairness, with COVID-19 throwing development schedules into minor chaos browser development teams probably have other things on their minds right now anyway.

While a temporary delay, it’s still an unexpected retreat for an industry which had showed unity in collectively deciding to banish TLS 1.0 and the lesser used TLS 1.1 by early 2020.

TLS, of course, is the protocol used to encrypt network communication, most prominently the HTTPS used by web browsers to connect securely to websites.

While TLS 1.2 and the recent 1.3 are now widely supported, versions 1.0 and 1.1 are now so old they’ve accumulated numerous weaknesses that render them insecure.

Attacks have included BEAST in 2011, Lucky Thirteen in 2013, and the POODLE SSL downgrade attack from 2014, and several others. Things got so bad the PCI DSS compliance standards were updated to insist that servers taking credit card payments stop supporting it in 2018 at the risk of big fines.

But what’s this got to do with COVID-19?

That’s less well explained, with Microsoft referring only to “current global circumstances”. Mozilla was more forthcoming:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

That’s a polite way of saying that, prior to COVID-19, those sites would have been allowed to wither as users trying to visit them were confronted with warnings about the sites’ support for insecure protocols.

In other words, the seriousness of COVID-19, and the possibility that at least some people might try to visit these sites, has now overridden these concerns.

Ironically, this is the very issue that’s dogged the phasing out of support for TLS 1.0 – the annoying fact that some websites that should know better haven’t been turning off support, hence the need for browser makers to step in to do it from the client end.

The question is how long this logic can hold.

Officially, the three browser makers mentioned in this article have all said they plan to revert to plan A and drop support for TLS 1.0 and 1.1 by the late spring or summer. But what happens if COVID-19 is still a problem?

Assuming these sites offering COVID-19 advice haven’t banished TLS 1.0 and 1.1 by the cut offs, that could either force more delays or a decision to press ahead regardless.

The larger truth is abandoning anything in software has become difficult. When the moment comes, there are bound to be losers and holdouts.

It’s been the bane of operating systems, such as Windows and Android, for years. Now this phenomenon is repeating itself on a smaller scale in the normally obscure world of the protocols used to quietly secure traffic between browsers and websites.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.