Posts Tagged: browser

Proposal to drop TLS 1.2 support in early 2025

Proposal to deprecate Transport Layer Security TLS 1.2

Transport Layer Security – or “TLS”- is a cryptographic mechanism to facilitate secure connections and communications across the internet. For example, the https network connection between your device and secure websites or applications, like MIDAS.

Several incarnations of the Transport Layer Security protocol have been developed over the years, the most recent being 1.3:

ProtocolReleasedCurrent Status
TLS 1.01999Deprecated
TLS 1.12006Deprecated
TLS 1.22008In use since 2008
TLS 1.32018In use since 2018
TLS Protocol History

TLS 1.0 and 1.1 are now considered “legacy protocols” and “weak” by today’s cryptographic standards. That’s because they’re susceptible to several vulnerabilities. Modern web browsers automatically default to preferring more secure TLS 1.2 and 1.3 connections. In fact, they may even display a warning when connecting to a website that only supports the now obsolete TLS 1.0/1.1 protocols.

As security and cryptographic standards have evolved over the years, we have too! We’ve previously dropped support for TLS 1.0 connections to our network in 2017. We then subsequently dropped support for TLS 1.1 connections in 2020.

As part of our ongoing commitment to security, we’re now proposing to also deprecate support for TLS 1.2 connections to our client servers in early 2025. Going forward, we propose to only support TLS 1.3 (the latest Transport Layer Security protocol version) connections.

But wait.. isn’t TLS 1.2 still considered secure?

In the past few years, researchers have discovered cryptographic weakness in some of the ciphers and algorithms that TLS 1.2 uses.

While TLS 1.2 can still be used, it is no longer considered the most secure option. TLS 1.2 is only considered “safe” when weak ciphers and algorithms are removed.

On the other hand, TLS 1.3 supports the latest modern encryption with stronger encryption algorithms and more robust authentication mechanisms. TLS 1.3 is currently the most secure TLS version. At time of writing, TLS 1.3 currently has no known vulnerabilities, and also offers performance improvements over TLS 1.2.

When will TLS 1.2 be deprecated?

At time of writing, there has been no date announced as to when TLS 1.2 will be officially deprecated.

However, one day TLS 1.2 will become obsolete, just as its predecessors TLS 1.1 and TLS 1.0 have become.

TLS 1.3 is currently the most secure TLS version. We’re keen to aid its adoption and to ensure the most secure connections to our network and servers. This is why we’re proposing to stop supporting older TLS 1.2 connections in 2025.

What impact would disabling TLS 1.2 support have?

Most modern browsers and operating systems support TLS 1.3.

Therefore, the vast majority of users will be unaffected by our proposal to switch off support for TLS 1.2 in early 2025. However, if you’re using an older device or operating system, you may need to take action.

Here’s a list of browsers and devices that will be affected when TLS 1.2 connections are blocked:

  • Internet Explorer: All versions of Internet Explorer do not support TLS 1.3. This should not impact any of our users, as our MIDAS software has not been supported in IE since 2019.
  • Edge Legacy: Versions of Edge Legacy prior to April 2018 do not support TLS 1.3. Users would need to update to a newer version of Edge or a different browser.
  • Safari on macOS 10.12 Sierra or earlier: These older macOS versions do not support TLS 1.3 in Safari. Users would need to upgrade their macOS or use a different browser.
  • Very old versions of other browsers: Browsers that haven’t been updated in several years might not support TLS 1.3.
  • Older Android devices: Devices running Android 9 (and earlier versions) do not support TLS 1.3.
  • Older iOS devices: Devices running iOS 12 (and earlier versions) do not support TLS 1.3.

Web browsers and devices that do support TLS 1.3:

  • Microsoft Edge (current versions): Supported since April 2018 (Edge 79+)
  • Google Chrome: Supported since April 2018 (Chrome 70+)
  • Mozilla Firefox: Supported since October 2017 (Firefox 63+)
  • Apple Safari (on macOS 10.13 High Sierra or later): Supported since September 2018 (Safari 14+)
  • Opera: Supported since April 2018 (Opera 57+)
  • Android: Android 10 (or later)
  • iOS: iOS 13 (or later)

Important Information For Hosted API users:

If you’re a cloud-hosted MIDAS customer utilizing the optional MIDAS API you may need to take action before TLS 1.2 connections to our network are disabled in early 2025.

You’ll need to ensure that your applications and the underlying programming language you develop in can support (and are correctly configured for) TLS 1.2 connections.

For instance Java 7 (1.7) (and lower) and .NET 4.7 (and lower) languages don’t support TLS 1.1/1.2.

If your applications/programming languages do not support TLS 1.3 encryption, your MIDAS API calls will begin to fail in early 2025 once we disable TLS 1.2 support across our network.

Please refer to the vendor of your programming language if you’re unsure whether it supports TLS 1.3, or for assistance enabling such support in your development environment.

Remind me again.. when is this all happening?

Currently, we are proposing to drop support for TLS 1.2 connections to our network in early 2025.

We have not fixed a specific date in 2025 for this as yet (as we want to hear from you – see below).

However, anything can change over the course of a year. Should new vulnerabilities be discovered in TLS 1.2 during 2024, this may prompt us to bring our plans to deprecate 1.2 support forward.

We Want To Hear From You!

We are currently only proposing to deprecate TLS 1.2 connections to our network in early 2025.

However, we’re open to feedback from you our users in the meantime.

If you feel you have a particular usage case that would require continued reliance on TLS 1.2 support, please reach out to us to discuss.


Disabling TLS 1.0 in early 2017

TLS stands for “Transport Layer Security” and is a cryptographic mechanism used to facilitate secure connections and communications over the internet. Several incarnations of the TLS protocol have been developed over the years (1.0, 1.1, and 1.2), with 1.0 being the oldest and now approaching the ripe old age of 18!

TLS 1.0 is now considered a “legacy protocol” and “weak” by today’s cryptographic standards, as it is susceptible to several vulnerabilities. Modern web browsers automatically default to preferring TLS 1.2 or TLS 1.1 over legacy TLS 1.0 connections, however some older browsers do not support the more modern and secure TLS 1.1/1.2 protocols.

As part of our ongoing commitment to security, in early 2017 we intend to drop support for legacy TLS 1.0 connections to our client servers. The vast majority of users will be unaffected by this change, but if you’re using an older web browser/operating system, you may need to update.

The minimum browser requirements for MIDAS v4.14 (and later) have also been updated accordingly.

The following table of web browsers provides additional guidance as to any action you may need to take to ensure you can continue to access our site/your hosted MIDAS system in 2017:

BrowserVersionComments
Microsoft Internet Explorer11OK (If you see the “Stronger security is required” error message, you may need to turn off the “Use TLS 1.0” setting via Internet Options → Advanced)
9-10OK (When running Windows 7 or newer, however you’ll need to enable TLS 1.1 and TLS 1.2 in Internet Explorer by selecting the “Use TLS 1.1” and “Use TLS 1.2” boxes via Internet Options → Advanced)
Upgrade Required (Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2 – Please update your operating system)
8 (or lower)Please update to a more recent version of Internet Explorer
Microsoft EdgeAll VersionsOK – No action required
Mozilla Firefox27+OK – No action required
23-26OK (Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2)
22 (or lower)Please update to a more recent version of Firefox
Google Chrome (Desktop)38+OK – No action required
22-37OK – No action required (Provided you’re running Windows XP SP3, Vista, or newer, OS X 10.6 (Snow Leopard) or newer)
21 (or lower)Please update to a more recent version of Chrome
Google Chrome (Mobile)Android 5.0+ (Lollipop)OK – No action required
Android 4.4.x (KitKat)Device Dependent (Some Android 4.4.x devices may not support TLS 1.1 or higher. Please refer to your device manufacturer if unsure)
Android 4.3 (Jelly Bean) (or lower)Please update to a more recent version of Android
Apple Safari (Desktop)7+OK – No action required
6 (or lower)Please update to a more recent version of Safari
Apple Safari (iOS)iOS 5+OK – No action required
iOS 4 (or lower)Please update to a more recent version of iOS

Important Information For Hosted API users:

If you’re a cloud-hosted MIDAS customer utilizing the optional MIDAS API, please ensure that your applications and the underlying programming language you develop in can support (and are correctly configured for) TLS 1.1/1.2 connections. For instance Java 6 (1.6) (and lower) and .NET 3.5 (and lower) languages don’t support TLS 1.1/1.2.
If your applications/programming languages do not support at least TLS 1.1, your MIDAS API calls will begin to fail in early 2017 once we disable TLS 1.0.
Please refer to the vendor of your programming language if you’re unsure whether it supports TLS 1.1/1.2, or for assistance enabling such support in your development environment.

UPDATE: 1st April 2017

In advance of dropping TLS 1.0 support across our entire network this year, we’ve initially dropped TLS 1.0 support on our dedicated Service Status site. If you’re not sure whether or not you’ll still be able to access your hosted MIDAS system once TLS 1.0 support is dropped in the near future, please visit https://midas.network. If you’re able to visit this site without issue, then you’ll still be able to access MIDAS going forward.

UPDATE: 1st July 2017

As of today, our servers no longer accept TLS 1.0 connections. If you’re unable to access our site/a hosted MIDAS system, please upgrade your web browser.


Firefox on Windows XP/VistaIf you’re still accessing your MIDAS room booking system via a Windows XP or Windows Vista machine, you’ll want to read this!

As you should be aware, Windows XP and Vista are now considered obsolete operating systems. They are no longer supported or maintained by Microsoft.

As a result, over the past few years major browser vendors have been slowly dropping support and updates for their products in these operating systems.

For instance, the most “recent” version of Internet Explorer that can be run on Windows XP is IE8 (MIDAS requires at least IE9). For a while this wasn’t a major issue as XP/Vista users could simply switch to either Google Chrome or Mozilla Firefox instead. Both of which were still being actively updated by the respective vendors on these operating systems.

However, Google announced back in November 2015 that Chrome would no longer be supported or receive updates on Windows XP or Windows Vista after April 2016.

Since then, Firefox has been the only major browser to continue supporting and providing updates on Windows XP and Vista.

This week, Mozilla have now announced that Firefox 52 (due for release in March 2017) will be the last version of their browser to receive updates on Windows XP and Vista.

Whilst Firefox 52 will still work on XP/Vista after March 2017, it will no longer receive updates. At this point, none of the modern major web browsers that are supported in MIDAS will continue to be updated on these operating systems.

We are therefore advising any MIDAS users who still access their scheduling systems via Windows XP or Vista to upgrade their operating systems as soon as possible. This will ensure their web browser(s) are kept up-to-date and they’re able to continue using MIDAS in the future.


Browser Logos

We put the latest web browsers head-to-head to try to find out which one is best!

In developing a powerful and feature-rich browser based room booking and resource scheduling system that’s supported in all five major browsers, we often get asked “So, which is the best web browser?”.

This time last year we put Chrome 23, Firefox 16, Internet Explorer 9 & 10, Opera 12 and Safari 5 head-to-head

Now, twelve months on, and less than a week since Internet Explorer 11 became available for Windows 7, Firefox celebrated its ninth birthday, and just a day after Google Chrome 31 is released, we decided it was high time to once again put the latest web browsers offerings “head-to-head” and independently, rigorously test and benchmark them to find out which one of the five major browsers is currently “the best”….

Browsers Tested

Google Chrome 31Mozilla Firefox 25Microsoft Internet Explorer 11Opera 17Apple Safari 5
Google Chrome 31Mozilla Firefox 25Internet Explorer 11Opera 17Apple Safari 5

The Tests

We broadly tested four key areas of browser performance: Speed, Memory Usage, Compliance with standards, and Javascript Performance.

1. Speed

Cold Start Browser Times

The “Cold Start” test measures the time taken to load up the browser upon its first run after a computer reboot. This is measured from the point at which the browser is executed until the point at which its user interface (UI) is ready to accept input.

Non-Cold Start Browser Times

The “Non-Cold Start” test measures the time taken to load up the browser on second and subsequent runs after its first run after a reboot. This is measured from the point at which the browser is executed until the point at which the user interface (UI) is ready to accept input.

Page Load Times (Non-Cached Load)

With the browser open, an empty cache, and showing a blank page (about:blank), the “Page Load Time (No-Cached Load)” test measures the time taken to completely load a complex web page. This is measured from the point at which the “Enter” key is pressed on the URL in the browser’s address bar until the point at which the test web page has fully loaded (as reported by an “onLoad” event on the test web page).

Page Load Times (Cached)

With the browser open, and the test web page already loaded in a single tab, the “Page Load Time (Reload from Cache)” test measures the time taken to reload a complex web page. This is measured from the point at which the F5 key (refresh) is pressed until the point at which the test web page has fully reloaded (as reported by an “onLoad” event on the test web page).

2. Memory Usage

Base Memory Usage (Blank Tab)

The “Base Memory Usage (Blank Tab)” test measures the amount of memory used by the browser with just a single blank (about:blank) tab open.

Memory Usage (10 open tabs)

The “Memory Usage (10 open tabs)” test measures the amount of memory used by the browser with 10 tabs open, each displaying the home page of a popular website.

3. Compliance

HTML5 Compliance

The “HTML5 Compliance” test measures how well each browser conforms to the current state of the HTML5 specification.

CSS3 Compliance

The “CSS3 Compliance” test measures how well each browser conforms to the current state of the CSS3 specification.

4. Javascript Performance

There are a number of different Javascript Performance Benchmark tests available today, all of which give quite different results. We’ve analyzed results from 6 of the most popular Benchmarking Tests and aggregated the results below:

Javascript Performance (Aggregate)

Individual details of each of the 6 individual Javascript benchmark test suits used to arrived at these aggregated scores may be found in our full test report, available to view/download at the end of this page.

Summary

CategoryTestWinnerRunner-Up
SpeedCold StartFF25IE11
Non-Cold StartIE11SF5.1
Page Load Time (Non-Cached Load)OP17IE11
Page Load Time (Reload from Cache)GC31OP17
Memory UsageBase MemoryIE11SF5.1
10 Open TabsFF25SF5.1
ComplianceHTML5GC31OP17
CSS3OP17GC31
PerformanceJavascript Performance (Aggregate)GC31OP17

Results

1st Place2nd Place3rd Place4th Place5th Place
Google Chrome 31Opera 17Microsoft Internet Explorer 11Mozilla Firefox 25Apple Safari 5
Google Chrome 31Opera 17Internet Explorer 11Mozilla Firefox 25Apple Safari 5

The above overall positions were derived based upon the sum of the positions that each browser finished in, in each of our tests. For example, in our HTML 5 compliance test, Chrome came first and so was assigned 1 point, Safari came 5th and so was assigned 5 points. Browsers were then ranked according to the lowest number of points to give the 1st-5th places above (1st being the best)

Analysis

Google Chrome 31 Google Chrome
When we last tested the five major browsers back in November 2012, Chrome came first in 8 out of 13 our tests, making it a clear winner!
A year later, and Chrome is still going strong, coming top in 8 out of 15 tests, and second in a further two tests.
Where Chrome still doesn’t perform quite as well is when it comes to its memory usage, using well over 3 times as much memory with a single blank tab open than Internet Explorer 11.

Mozilla Firefox 25 Mozilla Firefox
We were a little surprised that Firefox only came top in 3 out of 15 tests, and only once came runner-up. To Firefox’s credit, its main strength still seems to be in its memory usage. With 10 websites open in separate tabs, the amount of memory used was less than half that of Chrome with the same ten sites open.

Microsoft Internet Explorer 11 Internet Explorer
We were pleasantly surprised by the improvement of Internet Explorer 11 over previous versions as well as other browsers.
IE11 came top in a couple of our tests, and runner-up in a further three.
Where IE11 appears to have improved most over earlier versions of Microsoft’s browser in is the length of time taken to load and pages (either from a server, or from the cache) as well as start/restart the browser itself. In our tests, starting IE11 took just 0.01463 seconds! – some 280x quicker than Opera started.
That said, in general Internet Explorer 11 still has a way to go to come up to par with the other major browsers in terms of HTML 5 compliance.

Opera 17 Opera
A lot has changed with Opera since we last tested browsers twelve months ago. Since then, Opera have switched from using their own “Presto” layout rendering engine to instead using the same engine as Chrome.
Whilst this change has been received with mixed reviews by Opera users, with some unhappy that many of Opera’s original features were dropped, our test results actually show that the “new” Opera is a browser to be reckoned with, out performing Internet Explorer 11, Firefox 25 and Safari 5 in our tests.
Opera 17 came top in 3 out of our 15 tests, and runner-up in 6.
The browser also scored highly on HTML5/CSS3 compliance and in our aggregated Javascript performance tests, however, Opera’s memory usage was fairly high, second only to Chrome. Opera 17 was slow to start, however, once running it loaded and rendered web pages swiftly.

Apple Safari 5.1 Safari
Our browsers tests were performed on a Windows machine (test specifics are included at the end of this report). Whilst the latest version of Safari is 7, Apple took the decision after the release of Safari 5.1 to no longer continue developing Safari for Windows users – a mistake in our view! Therefore, the most recent version of Safari available to Windows users is 5.1.7, which was used in our testing.
Given that Safari 5.1.7 is now the oldest of the 5 browsers tested, it follows that is doesn’t perform as well as its peers.
However, surprisingly, it did come runner-up in both our memory tests as well as our non-cold start test.

Conclusions – From a Developers Perspective

From our perspective, as developers of a leading web-based room booking and resource scheduling solution, perhaps the most important factors in determining which browser is “best” are compliance with the latest HTML5 and CSS3 standards. As we work hard to ensure our software works well in all the major browsers, this is where having universal standards between browsers becomes so important. In theory, a website (or in our case, a web app), should look and behave the same regardless of the browser being used, which should in theory happen if all browsers complied 100% with standards! Chrome 31 currently comes the closest to the HTML 5 standard with 93% compliance, but as can be seen, CSS3 compliance still has a long way to go for all browsers, with the winning browser in the CSS3 compliance test (Opera 17) only achieving 58% compliance.

Speed (page load time) and Javascript Performance are also important factors for us, as we want our web app to be as fast and responsive as possible. Opera 17 and Chrome 25 loaded pages faster in our tests, with Internet Explorer 11 following close behind. As for performance, both Chrome 25 and Opera 17 outperformed other browsers in our aggregated Javascript performance test scores.

A few surprising finds:

  • Microsoft have made some significant steps forward with Internet Explorer 11 over earlier incarnations of their browser.
  • Opera 17 performed better than expected
  • Firefox 25 performed worse than expected, finishing an overall 4th place in our tests.
Online Web Based Room SchedulingMIDAS, our popular Browser-Based Room & Resource Scheduling Software is currently supported in all browser versions we’ve tested here. Find out more at https://mid.as

Conclusions – So which browser should I use then!?

• If you work with lots of browser tabs open at once, and/or the amount of available memory on your system is limited, Firefox 25 would seem a good choice of browser to use, as this used the less memory than other browsers under the same conditions.

• If you regularly open and close your browser, Internet Explorer 11 or Firefox 25 would seem a good choice as these browsers start up quickly. If, however, you tend to keep your browser running most of the time, Opera 17 would be a better choice, as even though its start-up time is considerably longer, initial page load times are the quickest of all the browsers we tested

• If you’re still using an earlier version of Internet Explorer – it’s certainly worth upgrading to IE11, or if that’s not possible (for example, if you’re using Windows XP, you won’t be able to update your Internet Explorer past version 8!), maybe it’s time to try a different browser!?

• At the end of the day, use the browser that you feel most comfortable with! …BUT make sure you keep it up-to-date, and don’t ignore the competition – if you do, you risk being left behind as other browsers overtake yours in terms of their speed, security, memory usage, standard compliance, and performance!

• In recent years, browsers such as Internet Explorer and Opera have been somewhat overlooked by many regular internet users – but if you’ve not used these browsers for years having previously dismissed them – a lot has changed, and it’s certainly worth giving them a second look again now!

View/Download The Complete Web Browser Test Report HERE

Test Specifics

Browsers Tested: Chrome 31.0.1650.48 m | Firefox 25.0 | Internet Explorer 11.0.9600.16428 | Opera 17 (Build 1652) | Safari 5.1.7 (7534.57.2)

Browser tests were performed on an Intel® Atom™ CPU D525 @ 1.80GHz system, with 4GB Ram, running Windows Home Server 2011 SP1 (Windows Server 2008 R2) 64-bit. Each browser was a clean install, using default install and browsers settings, and with no extensions/addons installed or enabled.

Speed tests were measured using Rob Keir’s millisecond timer and PassMark AppTimer v1.0. Each speed test was performed 10 times for each browser, and the results averaged to provide the data presented in this report.

Compliance Tests: HTML5 | CSS3

Javascript Performance Tests: Dromaeo | Speed-Battle | Sunspider | Peacekeeper | Octane | BrowserMark

Memory usage was measured 60 seconds after tabs had finished loading and was measured through the Windows Task Manager. Memory usage includes all associated processes running with the browser (for example, running Safari spawns both “Safari.exe” and “WebKit2WebProcess.exe” processes, the memory usage of both is taken into account)

The 10 sites open in tabs when measuring memory usage (10 open tabs) were:
https//mid.as | http://news.bbc.co.uk | http://facebook.com | https://twitter.com | http://google.co.uk | https://youtube.com | http://wikipedia.org | http://linkedin.com | http://bing.com | http://amazon.co.uk

Test Date: 13 November 2013