TLS 1.0 and 1.1 deprecation.

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

TLS 1.0 and 1.1 deprecation.

Unread post by Moonraker » 2019-10-03, 08:31

https://www.ghacks.net/2019/10/02/tls-1 ... -warnings/

Seems google is planning issuing warnings in it's browser about TLS 1.0 and 1.1.
Judging from this these will be deprecated at some point but i would imagine thousands of sites on the web still use these protocols.

Good idea...?.
I know i can simply turn these off in pale moon but would it be prudent to do this now or wait until the googleplex decides it is time.

Any thoughts.?
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 938
Joined: 2017-12-14, 12:59

Re: TLS 1.0 and 1.1 deprecation.

Unread post by gepus » 2019-10-03, 09:25

Moonraker wrote:
2019-10-03, 08:31
Good idea...?.
I know i can simply turn these off in pale moon but would it be prudent to do this now or wait until the googleplex decides it is time.

Any thoughts.?
You might break lots of sites but that's up to you after all.
Also keep in mind that for many sites you visit, support for a modern cryptographic algorithm isn't even an imperative.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Isengrim » 2019-10-03, 09:41

Does TLS 1.0 or 1.1 have any known vulnerabilities?
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 938
Joined: 2017-12-14, 12:59

Re: TLS 1.0 and 1.1 deprecation.

Unread post by gepus » 2019-10-03, 09:45

Isengrim wrote:
2019-10-03, 09:41
Does TLS 1.0 or 1.1 have any known vulnerabilities?
Nope AFAIK.

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonraker » 2019-10-03, 09:53

If the protocols are still secure then i see no reason to not use them but the eggheads in california deem them insecure by default.
Seeing as google has more or less muched the entire web up and gives the mere user it's marching orders or face the consequences then thank god for independant browsers like pale moon.

Does this have long term implications for forks and non google browsers...?
time will tell but considering the web must consist of a large majority of websites using this protocol then maybe not.!!

Google are even dictating drafts and standards on the W3C.
Free and open web...???..not on your nellie and what google says must go. :crazy: .
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

New Tobin Paradigm

Re: TLS 1.0 and 1.1 deprecation.

Unread post by New Tobin Paradigm » 2019-10-03, 10:19

Off-topic:
They have redefined the terms "free" and "open". Please see your political handler for the day's official definition.

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonraker » 2019-10-03, 10:49

Off-topic:
have all the lexicographers of the world been informed or have google got control of the english language too.!
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonchild » 2019-10-03, 11:30

I honestly don't get it. these warnings should be sent to server administrators as part of evangelism; what good is it to bother browser users with it?
The protocols themselves are not in any way broken or insecure, merely deprecated, as in something you really shouldn't be using anymore as a server operator. All important financial institutions have already been forced to use TLS 1.2 if they want to be ICS compliant, so...

This is kind of a self-created problem by the https-always-everywhere crowd: servers that might otherwise not have used TLS to begin with, now might be using older server software that doesn't support TLS 1.2 to serve over TLS. Those servers are likely not even in need of https, so what does it matter to the visitor whether they are using an older protocol for stuff that is not critical anyway?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
gepus
Keeps coming back
Keeps coming back
Posts: 938
Joined: 2017-12-14, 12:59

Re: TLS 1.0 and 1.1 deprecation.

Unread post by gepus » 2019-10-03, 12:22

Moonchild wrote:
2019-10-03, 11:30
I honestly don't get it. these warnings should be sent to server administrators as part of evangelism; what good is it to bother browser users with it?
PR activism meant to be addressed to the clueless user: "Watch out! We care about you and are making the Internet more secure!"
And the worst of it - such kind of cheap PR works! The crowd is buying the bullshit.

However, this time it can be a double-edged sword if some pages won't work and those testing with another browser will realize that the sky isn't falling when accessing those sites.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by moonbat » 2019-10-03, 13:15

gepus wrote:
2019-10-03, 12:22
However, this time it can be a double-edged sword if some pages won't work and those testing with another browser will realize that the sky isn't falling when accessing those sites.
Nobody(website operators, businesses, end users, security experts) cares about anything other than Chrome when it comes to testing or compatibility, these days.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonchild » 2019-10-03, 16:08

moonbat wrote:
2019-10-03, 13:15
Nobody(website operators, businesses, end users, security experts) cares about anything other than Chrome when it comes to testing or compatibility, these days.
If they test to begin with.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonraker » 2019-10-03, 18:14

moonbat wrote:
2019-10-03, 13:15
gepus wrote:
2019-10-03, 12:22
However, this time it can be a double-edged sword if some pages won't work and those testing with another browser will realize that the sky isn't falling when accessing those sites.
Nobody(website operators, businesses, end users, security experts) cares about anything other than Chrome when it comes to testing or compatibility, these days.
This reinforces my earlier comment.This just shows as the web further weaves itself into the future that non google software is going to be in a constant struggle.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

RJARRRPCGP
Lunatic
Lunatic
Posts: 400
Joined: 2015-06-22, 19:48
Location: USA (North Springfield, Vermont)
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by RJARRRPCGP » 2019-10-04, 00:01

Moonchild wrote:
2019-10-03, 11:30
Those servers are likely not even in need of https, so what does it matter to the visitor whether they are using an older protocol for stuff that is not critical anyway?
A good example, IIRC, are images, at least where I come from. At least malware-wise, I normally don't get worried about images hosted on plain-Jane HTTP servers. I remember the internet where images weren't HTTPS.

While I agree about HTTPS being standard, even for images, I suspected that in the past, HTTPS could have caused far more overhead.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonchild » 2019-10-04, 01:08

RJARRRPCGP wrote:
2019-10-04, 00:01
I suspected that in the past, HTTPS could have caused far more overhead.
The overhead of TLS has not lessened in any significant way.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Isengrim » 2020-01-10, 13:12

At the risk of gravedigging a little (and because ghacks put out another article about it), I presume there are no plans to deprecate, warn about the use of, or remove support for TLS 1.0 or TLS 1.1 in Pale Moon or UXP at this time?
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonchild » 2020-01-10, 13:51

Isengrim wrote:
2020-01-10, 13:12
I presume there are no plans to deprecate, warn about the use of, or remove support for TLS 1.0 or TLS 1.1 in Pale Moon or UXP at this time?
viewtopic.php?f=65&t=23051#p175946
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Isengrim » 2020-01-10, 15:22

I read it, and I didn't think it directly answered my question about removal, hence why I asked. But I'm going to assume that means "no". Thanks.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonraker » 2020-01-10, 17:06

Deprecating it in the browser is one thing but how many of the god knows how many websites who run this are prepared to change.?
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.0 and 1.1 deprecation.

Unread post by Moonchild » 2020-01-10, 18:29

Moonraker wrote:
2020-01-10, 17:06
Deprecating it in the browser is one thing but how many of the god knows how many websites who run this are prepared to change.?
Well if chrome users can no longer visit their insecure IIS 6 setup, I bet they will change.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: TLS 1.0 and 1.1 deprecation.

Unread post by therube » 2020-01-11, 12:28

https://badssl.com/

https://tls-v1-0.badssl.com:1010/
https://tls-v1-1.badssl.com:1011/
https://tls-v1-2.badssl.com:1012/

The future: In FF 74, the first two test pages (1010, 1011) will not load (by default).
This website might not support the TLS 1.2 protocol, which is the minimum version supported by Nightly. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.

TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.

Locked