Firefox 74 Rejects TLS 1.0 and 1.1
On March 10th, Mozilla released the stable version of Firefox 74. The new version of Mozilla’s popular web browser features a security upgrade that’s more significant than most new versions typically have. TLS 1.0 and 1.1 are now disabled. Webpages and web apps still using those old versions of TLS will load in Firefox 74 with a “secure connection failed” error. With nearly 10% desktop market share, and the existence of many forks including Basilisk and Tor Browser, this move should help to discourage web developers from using outdated versions of TLS. And if that’s not enough to nudge developers to deploy TLS 1.2 or 1.3, Google dropped TLS 1.0 and 1.1 support in Chrome 72 in January 2019, and Apple dropped TLS 1.0 and 1.1 support in Safari for iOS on September 30th.
Most web browsers require TLS 1.2 and 1.3
So, with Firefox 74, most major web browsers now require TLS 1.2 or 1.3. TLS 1.1 is nearly fourteen years old, and TLS 1.0 is more than twenty years old! It’s not realistic to expect cryptographic standards to remain secure for that long. TLS 1.2 debuted in 2008, and TLS 1.3 in 2018. The widespread deployment of those standards is long overdue.
Venafi’s own Kevin Bocek recognizes the importance of dropping support for old versions of TLS in Firefox 74:
“TLS certificates are a vital type of machine identity, part of the system of online trust that our entire digital world is built on. They enable browsers and websites to know what can or can’t be trusted and communicate with each other securely. Yet the TLS 1 and 1.1 machine identity protocols are decades old and have been found to be vulnerable to a number of cryptographic attacks. Firefox’s decision to remove these outdated protocols is therefore a major boost for the security of its users.
Yet for the websites that still use these machine identities, Firefox 74 will force them into quickly replacing TLS 1 and 1.1 or face the prospect of greeting visitors to their websites with insecure warnings, which can damage their business as well as their credibility. Firefox’s move underlines just how important it is for businesses to be able to quickly find and replace outdated machine identities. With the other major browsers expected to follow suit, this level of cryptoagility is now more important than ever.”
What about downgrade attacks?
But what about downgrade attacks? That’s a type of cryptographic attack that downgrades the encryption of data in transit. The worst kinds of downgrade attacks force all ciphertext to transmit in cleartext, but downgrade attacks can also force data to transmit through a weaker form of encryption, such as WPA2 to WEP, or TLS 1.2 to TLS 1.1. Will Firefox 74 be susceptible?
The user can choose to enable TLS 1.0 and 1.1 in Firefox 74 on the “secure connection failed” error page. From Thyla van der Merwe on the Mozilla Hacks blog:
“In cases where only lower versions of TLS are supported, i.e., when the more secure TLS 1.2 and TLS 1.3 versions cannot be negotiated, we allow for a fallback to TLS 1.0 or TLS 1.1 via an override button...
As a user, you will have to actively initiate this override. But the override button offers you a choice. You can, of course, choose not to connect to sites that don’t offer you the best possible security.”
If a cyber attacker has remote access to a user’s endpoint, such as with malware, they may be able to initiate a downgrade attack by spoofing user input. But a lot of users may legitimately click on the button without a moment’s thought because they’re eager for their cat memes or whatever.
Man-in-the-middle attacks are also a common means for downgrade attacks. This can often be done by manipulating the Address Resolution Protocol (ARP) cache on a client machine, thus routing traffic through an attacker’s machine.
Security hardening measures against man-in-the-middle attacks should often prevent downgrade attacks on a user’s web traffic. But the only way to eliminate the possibility of downgrade attacks in Firefox 74 is to completely remove backwards compatibility for TLS 1.0 and 1.1.
Do you know if your organization is using any TLS 1.0 or 1.1 machine identities?free