Firefox

Mozilla re-enables TLS 1.0 and 1.1 because of Coronavirus (and Google)

Mozilla released Firefox 74.0 Stable to the public on March 10, 2020. The new version of Firefox came with a number of changes and improvements; among them the deprecation of the security protocols TLS 1.0 and TLS 1.1 in the Firefox web browser.

The functionality has not been removed from Firefox but the default status of both protocols has been set to disabled in Firefox 74.0 by Mozilla.

A consortium of browser makers, among them Mozilla, Google, Microsoft and Apple, vowed to remove TLS 1.0 and 1.1 from their browsers in order to improve the security and performance of Internet connections by relying on TLS 1.2 and TLS 1.3 for secure connections.

Mozilla has re-enabled TLS 1.0 and 1.1 in the Firefox Stable and Beta browser; it is unclear when Mozilla did that but an update on the Firefox release notes page highlights why the protocols have been enabled again. Mozilla notes:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

According to the update posted on the release notes page, Mozilla made the decision because some government sites still rely on the old protocols. Mozilla does not provide any examples of government sites that still rely on these dated protocols.

The organization’s Site Compatibility site offers more details:

Mozilla is going to temporarily re-enable the TLS 1.0/1.1 support in Firefox 74 and 75 Beta. The preference change will be remotely applied to Firefox 74, which has already been shipped. This is because many people are currently forced to work at home and relying on online tools amid the novel coronavirus (COVID-19) outbreak, but some of critical government sites still don’t support TLS 1.2 yet.

A new bug on Mozilla’s bug tracking site provides additional information and another reason entirely. Mozilla highlights that Google postponed Chrome releases and that it is unlikely that Google will disable TLS 1.0 and 1.1 in the Chrome browser for the time being and that this would leave Firefox as the sole browser with the protocols disabled in the Stable version.

The consequence is that Mozilla re-enabled TLS 1.0 and 1.1 in Firefox Stable and Firefox Beta. Firefox users may still disable the protocols manually in the browser by setting the preference security.tls.version.min to 3 to allow TLS 1.2 or higher only.

You Might Also Like