Apple, Google, Microsoft Join Forces to Kill Legacy Web Security Protocol

Secure Code Review, web programming

A number of technology giants including Google, Microsoft, Apple and Mozilla are coming together to put an end of TLS 1.0, the Transport Layer Security standard that had its roots in 1999.

First reported by ArsTechnica, the unified approach sees the web giants looking to disable TLS 1.0 and 1.1 by March 2020.

TLS, or Transport Layer Security, is the fundamental protocol used to secure connections on the open internet. It is a crucial component, forming connections that are authenticated and tamper-proof, as well as confidential.

Apple’s WebKit blog elaborates on the details, with the Secure Transport team at the world’s most-valuable company explaining:

“Transport Layer Security (TLS) is a critical security protocol used to protect web traffic. It provides confidentiality and integrity of data in transit between clients and servers exchanging (often sensitive) information. To best safeguard this data, it is important to use modern and more secure versions of this protocol.”

The original TLS (1.0) was first published in January 1999 and was heavily based on Netscape’s SSL 3.0 protocol. It took another seven years for TLS 1.1 to take shape while TLS 1.2 quickly followed in 2008 with new capabilities. TLS 1.3 was most recently finalized in August.

While TLS 1.2 represents some 99.6 percent of all TLS connections made from Safari from an Apple perspective, over 94 percent of websites support TLS 1.2, according to the company.

“Now is the time to make this transition. Properly configured for App Transport Security (ATS) compliance, TLS 1.2 offers security fit for the modern web,” Apple said. “It is the standard on Apple platforms and represents 99.6% of TLS connections made from Safari. TLS 1.0 and 1.1 — which date back to 1999 — account for less than 0.36% of all connections.”

Image credit: LIFARS archive.