Π Firefox by default support for TLS 1.0 and TLS 1.1 protocols (the security.tls.version.min setting is set to 3, which sets TLS 1.2 as the minimum version). In stable releases, TLS 1.0/1.1 is planned to be disabled in March 2020. In Chrome, support for TLS 1.0/1.1 will be dropped in Chrome 81, which is expected in January 2020.
The TLS 1.0 specification was published in January 1999. Seven years later, the TLS 1.1 update was released with security improvements related to the generation of initialization vectors and incremental padding. Currently, the IETF (Internet Engineering Task Force) committee, which develops the protocols and architecture of the Internet,
draft specification deprecating TLS 1.0/1.1 protocols. According to the service as of September 3, TLS 1.2 is supported by 95.8% of websites that allow secure connections, and TLS 1.3 by 17.7%. TLS 1.1 connections allow 75.5% of HTTPS sites, while TLS 1.0 allows 65.5%.
The main problems of TLS 1.0 / 1.1 are the lack of support for modern ciphers (for example, ECDHE and AEAD) and the requirement to support old ciphers, the reliability of which is called into question at the present stage of development of computer technology (for example, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA support is required, MD5 and SHA are used to check integrity and authentication -1). Support for legacy algorithms has already led to attacks such as
, , , ΠΈ . However, these problems were not directly protocol vulnerabilities and were closed at the level of its implementations. There are no critical vulnerabilities in the TLS 1.0/1.1 protocols themselves that can be used to carry out practical attacks.
Source: opennet.ru