Home Cyber Security News Apple To Remove Insecure TLS Protocols In Future macOS, iOS Releases

Apple To Remove Insecure TLS Protocols In Future macOS, iOS Releases

by Abeerah Hashim

While Apple has already deprecated the insecure TLS 1.0 and 1.1 protocols in the latest iOS and macOS releases, it plans to remove support for these protocols in upcoming versions.

Apple To Remove Insecure TLS

Through a recent post, Apple announced removing insecure TLS protocols from the upcoming macOS and iOS versions.

As elaborated, Apple decided to disable the insecure TLS 1.0 and 1.1 protocols for better security. The tech giant implemented this move earlier this year. As stated,

As part of ongoing efforts to modernize platforms, and to improve security and reliability, TLS 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF) as of March 25, 2021.

Consequently, the protocols came deprecated in macOS 12, iOS 15, iPadOS 15, watchOS 8, and tvOS 15.

As for future versions, Apple has confirmed to remove support for insecure TLS entirely. Hence, it has urged all app developers to upgrade their apps to TLS 1.2 or later and remove the legacy versions.

  • tls_protocol_version_t.TLSv10
  • tls_protocol_version_t.TLSv11
  • tls_protocol_version_t.DTLSv10

Specifically, Apple recommended using TLS 1.3 that is faster and more secure.

As for the apps using App Transport Security (ATS) on connections, Apple assured no changes.

Continued Abandoning of TLS 1.0 And 1.1

This move doesn’t come unexpectedly since Apple, together with other giants, Google, Microsoft, and Mozilla, had already hinted at this move back in 2018.

Subsequently, the firms kept on working on the upgrade to higher TLS versions. For example, in February 2019, Google deprecated TLS 1.0 and 1.1 with Chrome 72.

Then, in August 2020, Microsoft announced rolling out TLS 1.3 with Windows 10. The secure protocol arrived enabled by default in Windows 10 Insider Preview builds. Highlighting the security of TLS 1.3, Microsoft stated in its post,

TLS 1.3 now uses just 3 cipher suites, all with perfect forward secrecy (PFS), authenticated encryption and additional data (AEAD), and modern algorithms. This addresses challenges with the IANA TLS registry defining hundreds of cipher suite code points, which often resulted in uncertain security properties or broken interoperability.

Mozilla also made the same move; however, it reverted the changes with Firefox 74. Explaining the reason behind it, Mozilla stated in the release notes,

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

Nonetheless, users can always manually update this setting by configuring preferences.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid