While Apple has already deprecated the insecure TLS 1.0 and 1.1 protocols in the latest iOS and macOS releases, it plans to remove support for these protocols in upcoming versions.
Apple To Remove Insecure TLS
Through a recent post, Apple announced removing insecure TLS protocols from the upcoming macOS and iOS versions.
As elaborated, Apple decided to disable the insecure TLS 1.0 and 1.1 protocols for better security. The tech giant implemented this move earlier this year. As stated,
As part of ongoing efforts to modernize platforms, and to improve security and reliability, TLS 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF) as of March 25, 2021.
Consequently, the protocols came deprecated in macOS 12, iOS 15, iPadOS 15, watchOS 8, and tvOS 15.
As for future versions, Apple has confirmed to remove support for insecure TLS entirely. Hence, it has urged all app developers to upgrade their apps to TLS 1.2 or later and remove the legacy versions.
- tls_protocol_version_t.TLSv10
- tls_protocol_version_t.TLSv11
- tls_protocol_version_t.DTLSv10
Specifically, Apple recommended using TLS 1.3 that is faster and more secure.
As for the apps using App Transport Security (ATS) on connections, Apple assured no changes.
Continued Abandoning of TLS 1.0 And 1.1
This move doesn’t come unexpectedly since Apple, together with other giants, Google, Microsoft, and Mozilla, had already hinted at this move back in 2018.
Subsequently, the firms kept on working on the upgrade to higher TLS versions. For example, in February 2019, Google deprecated TLS 1.0 and 1.1 with Chrome 72.
Then, in August 2020, Microsoft announced rolling out TLS 1.3 with Windows 10. The secure protocol arrived enabled by default in Windows 10 Insider Preview builds. Highlighting the security of TLS 1.3, Microsoft stated in its post,
TLS 1.3 now uses just 3 cipher suites, all with perfect forward secrecy (PFS), authenticated encryption and additional data (AEAD), and modern algorithms. This addresses challenges with the IANA TLS registry defining hundreds of cipher suite code points, which often resulted in uncertain security properties or broken interoperability.
Mozilla also made the same move; however, it reverted the changes with Firefox 74. Explaining the reason behind it, Mozilla stated in the release notes,
We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.
Nonetheless, users can always manually update this setting by configuring preferences.
Let us know your thoughts in the comments.