Apple has announced it is disabling TLS 1.0 and 1.1 for all future versions of its software for mobile and computer devices. The company’s App Transport Security feature will now mandate developers to use TLS 1.2 or higher in apps.
Earlier this week, Apple announced the end of life of one of the most widely used cryptographic protocols leveraged for secure communication for voice over IP (VoIP), instant messaging, email, etc. The company bid adieu to Transport Layer Security (TLS) protocols 1.0 and 1.1 for iOS 15, iPadOS 15, macOS 12, watchOS 8, and tvOS 15 and all future operating systems.
Used to encrypt and authenticate secure connections and traffic across the web, the 22-year-old TLS has been considered as a legacy protocol by most companies, including Apple, Google, and Microsoft for three years now. These three companies, along with Mozilla, had in 2018 plannedOpens a new window on discontinuing support across respective products.
In 2018, Microsoft said, “Two decades is a long time for a security technology to stand unmodified. While we aren’t aware of significant vulnerabilities with our up-to-date implementations of TLS 1.0 and TLS 1.1, vulnerable third-party implementations do exist.â€
Additionally, since TLS 1.2 was used in more than 99%Opens a new window of websites even three years ago, it made sense to retire the legacy protocols, which aren’t technically an outright security threat but could prove to be one. Moreover, according to engineering lead at Apple Christopher WoodOpens a new window , the use of TLS 1.0 and 1.1 meant users would be unable to:
- Use modern cryptographic algorithms and cipher suites that deliver appropriate security. For instance, perfect forward secrecy and authenticated encryption are not vulnerable to attacks such as BEAST.
- Remove mandatory, insecure SHA-1 and MD5 hash functions for peer authentication.
- Thwart downgrade-related attacks (LogJam and FREAK)
See Also: Finally, Apple Loosens Restrictions for Small Developers: But Is This Enough?
Of course, not all of the companies had similar plans to implement a successor protocol. Launched in August 2018 by the Internet Engineering Task Force (IETF), TLS 1.3 was accepted by Microsoft for its Edge browser in addition to TLS 1.2. So do Google Chrome and Mozilla Firefox. Apple, on the other hand, already had a security feature called App Transport Security (ATSOpens a new window ) for networking since 2016.
ATS is just a way for Apple developers to implement encryption features like TLS and HTTPS. It basically acts as a buffer between developers and app implementations. So if ATS is enabled in the app on your Apple device, you’re all set. Since ATS can be disabled, make sure the app you’re using to communicate uses at least TLS 1.2.
However, Apple recommends users shift directly to TLS 1.3 over the decade-old TLS 1.2 since the former is “faster and more secure.†TLS 1.3 is also included and enabled by default in Windows 10 Insider Preview builds and will probably feature in the broader rollout as well.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!