Firefox and Safari Leading in Website Security

Posted on by

Firefox

With TLS 1.0 and TLS 1.1 considered vulnerable to various types of attacks, including BEAST, CRIME and POODLE, Mozilla last month announced plans to disable them in its popular browser and allow only connections made using TLS 1.2 and TLS 1.3.

The move should have no impact on websites that support TLS 1.2 and up, but will result in an error message being displayed when the newer protocol iterations are not supported. An override button on the error page will provide users with the option to fallback to TLS 1.0 or TLS 1.1.

The deprecation of older TLS iterations was initially announced a couple of years ago, but some website administrators have yet to upgrade to newer versions of the protocol. The change introduced in Firefox 74 is expected to encourage them to improve the security of their sites and users

Safari

Apple has unveiled a policy for Safari at the CA/Browser forum that it will not trust any website certificates valid for more than 398 days. This will flow on to all iOS and macOS devices and that this starts on September 1, 2020. This is aimed at improving website security by making site developers are using certificates with up to date cryptographic standards.

Clearly the improved security is going to have some draw backs such as increasing the frequency of certificate deployment will increase the workload for IT staff. The suggestion is that companies need to look to automation to manage certificates and compliance.

This entry was posted in Guidelines, Vulnerability by Mark Bedford. Bookmark the permalink.

Comments are closed.