TLS is the protocol that secures HTTPS, and Google last year announced that it wants to deprecate browser support for older versions of Transport Layer Security. Set for next year, the Chrome team today detailed what user-facing warnings will appear.
TLS 1.0 and 1.1 will be blocked in Chrome 81. In the lead-up, Google will display a “gentler” Chrome TLS warning on sites that still use the older protocol.
While legacy TLS usage has decreased, we still see over 0.5% of page loads using these deprecated versions. To ease the transition to the final removal of support and to reduce user surprise when outdated configurations stop working, Chrome will discontinue support in two steps.
Starting with Chrome 79 on January 13, 2020, the browser will show a “Not Secure” indicator to the left of the address box. Tapping Page Info provides the full “Your connection to this site is not fully secure” warning. Google is not yet blocking TLS 1.0 or 1.1 at this stage, just alerting users.
By March, with Chrome 81, connections to websites using the legacy versions will be blocked. There will be a full-screen interstitial warning that notes how the site you’re visiting uses an “outdated security configuration, which may expose your information when it is sent to the site.”
Google encourages site admins to update to TLS 1.2 (released over a decade ago) or newer ahead of the Chrome TLS warnings. Enterprise deployments can re-enable TLS 1.0 or TLS 1.1 and disable the warning UIs until January 2021.
Site administrators should immediately enable TLS 1.2 or later. Depending on server software (such as Apache or nginx), this may be a configuration change or a software update. Additionally, we encourage all sites to revisit their TLS configuration.
FTC: We use income earning auto affiliate links. More.
Comments