Another update for this thread: We will be completing the final removal of support for TLS 1.0/1.1 in M-98, which is scheduled to ship to Stable channel in February 2022. This change will remove the bypassable interstitial warning and instead Chrome will refuse to connect and show a non-bypassable network error page.
I've updated the Chrome Status entry to include a note about this milestone as well. We are tracking this final removal in crbug.com/1238161. - Chris On Thu, Aug 6, 2020 at 10:42 AM Christopher Thompson <[email protected]> wrote: > One other update: as a result of us pushing back this removal to M-84, we > are moving back the date when we will remove the enterprise policy bypass > to *May* 2021. We have updated the Chrome Status entry accordingly, and > we will also add a note to our previous blog post. > > - Chris > > On Fri, Apr 3, 2020 at 10:36 AM Daniel Bratell <[email protected]> > wrote: > >> Thanks for the info! Sounds like a very reasonable plan. >> >> /Daniel >> On 2020-04-03 17:55, Christopher Thompson wrote: >> >> Thanks for the ping Daniel, and sorry for forgetting to send an update to >> this thread. We have decided to postpone this removal in Stable until at >> least M-84 (scheduled for release in July). We will continue to have it >> enabled in pre-release channels to try to maintain visibility for affected >> site owners. >> >> We have updated the Chrome Status entry with this new target, and will be >> updating our previous blog post with the new milestone. >> >> - Chris >> >> On Fri, Apr 3, 2020 at 5:34 AM Daniel Bratell <[email protected]> >> wrote: >> >>> cthomp, and other involved. What is the current state of this change? >>> I'm asking because it's one of the less trivial changes done with a >>> backwards compatibility risk at a time when we are trying to take even less >>> risk than normal. >>> >>> Mozilla elected to delay this change for now (see >>> https://www.mozilla.org/en-US/firefox/74.0/releasenotes/ ). >>> >>> /Daniel >>> On 2020-01-28 12:53, Yoav Weiss wrote: >>> >>> LGTM3 >>> >>> On Tue, Jan 28, 2020 at 12:49 PM Mike West <[email protected]> wrote: >>> >>>> LGTM2, especially given the value of working in lockstep with other >>>> vendors. >>>> >>>> -mike >>>> >>>> >>>> On Sun, Jan 26, 2020 at 3:07 PM Jochen Eisinger <[email protected]> >>>> wrote: >>>> >>>>> dropping usage, long deprecation period, and cross browser support: >>>>> lgtm1 to remove >>>>> >>>>> On Sat, Jan 25, 2020 at 12:08 AM Christopher Thompson < >>>>> [email protected]> wrote: >>>>> >>>>>> Looks like foolip@ already filed a bug: >>>>>> https://github.com/GoogleChrome/chromium-dashboard/issues/700 >>>>>> >>>>>> On Fri, Jan 24, 2020 at 3:07 PM Johnny Stenback < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> On Fri, Jan 24, 2020 at 2:32 PM Christopher Thompson < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Mounir -- The full Chrome Status form took in a lot of detail >>>>>>>> that it appears to not show.... Let me share the full details here: >>>>>>>> >>>>>>> >>>>>>> Hey Christopher, >>>>>>> >>>>>>> If you (or anyone else for that matter) are able to, please file >>>>>>> issues with the Chromestatus took at >>>>>>> https://github.com/GoogleChrome/chromium-dashboard/issues. >>>>>>> >>>>>>> Thanks! >>>>>>> Johnny >>>>>>> >>>>>>> >>>>>>> >>>>>>>> *Summary* >>>>>>>> TLS 1.0 and 1.1 were deprecated in Chrome 72 with a planned removal >>>>>>>> in Chrome 81 (in early 2020). Other browsers are also removing support >>>>>>>> for >>>>>>>> TLS 1.0 and 1.1 at this time. Previously, we showed a deprecation >>>>>>>> warning >>>>>>>> in DevTools. In M-79, Chrome marked affected sites as "Not Secure". In >>>>>>>> M-81, Chrome will show a full page interstitial warning on sites that >>>>>>>> do >>>>>>>> not support TLS 1.2 or higher. >>>>>>>> >>>>>>>> *Motivation* >>>>>>>> TLS 1.2 was published ten years ago to address weaknesses in TLS >>>>>>>> 1.0 and 1.1 and has enjoyed wide adoption since then. These old >>>>>>>> versions of >>>>>>>> TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. >>>>>>>> TLS >>>>>>>> 1.0 is no longer PCI-DSS compliant and the TLS working group has >>>>>>>> adopted a >>>>>>>> document to deprecate TLS 1.0 and TLS 1.1. >>>>>>>> >>>>>>>> *Interoperability and Compatibility Risks* >>>>>>>> As of January 1, we still saw 0.3% of main frame page loads using >>>>>>>> TLS 1.0 or 1.1. This is down significantly from 0.68% back in January >>>>>>>> 2019. >>>>>>>> We are optimistic that our current efforts in M-79/80 will increase the >>>>>>>> visibility of this change to get more sites to update. >>>>>>>> >>>>>>>> For more details, you can track these public metrics: >>>>>>>> >>>>>>>> - TLS version of main frame loads: >>>>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/2634 >>>>>>>> - TLS version of subresources: >>>>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/2635 >>>>>>>> - TLS version of subframe loads: >>>>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/2636 >>>>>>>> >>>>>>>> Affected enterprises can bypass these errors using the >>>>>>>> SSLVersionMin policy. This policy will be available until 2021. >>>>>>>> >>>>>>>> This removal is in sync with removal by other browser vendors, so >>>>>>>> there is little to no interoperability risk. >>>>>>>> >>>>>>>> *Other browsers* >>>>>>>> >>>>>>>> - Safari: Public support ( >>>>>>>> >>>>>>>> https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ >>>>>>>> ) >>>>>>>> - Firefox: Public support ( >>>>>>>> >>>>>>>> https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ >>>>>>>> ) >>>>>>>> - Edge: Public support ( >>>>>>>> >>>>>>>> https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ >>>>>>>> ) >>>>>>>> - Web / Framework developer views: No signals >>>>>>>> >>>>>>>> *Tracking bug URL* >>>>>>>> https://crbug.com/896013 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jan 24, 2020 at 2:25 PM Mounir Lamouri <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Usually, deprecations/removals, come with a % of page load using >>>>>>>>> the feature. Is this something that can be shared? Also, which >>>>>>>>> browsers are >>>>>>>>> dropping TLS 1.0 and 1.1 support? >>>>>>>>> >>>>>>>>> On Fri, 24 Jan 2020 at 14:14, Christopher Thompson < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Contact emails [email protected],[email protected] >>>>>>>>>> Explainer N/A Design docs/spec Specification: >>>>>>>>>> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00 >>>>>>>>>> https://security.googleblog.com/2018/10/modernizing-transport-security.html >>>>>>>>>> >>>>>>>>>> https://blog.chromium.org/2019/10/chrome-ui-for-deprecating-legacy-tls.html >>>>>>>>>> TAG >>>>>>>>>> review N/A Summary TLS 1.0 and 1.1 were deprecated in Chrome 72 >>>>>>>>>> with a planned removal in Chrome 81 (in early 2020). Other browsers >>>>>>>>>> are >>>>>>>>>> also removing support for TLS 1.0 and 1.1 at this time. Previously, >>>>>>>>>> we >>>>>>>>>> showed a deprecation warning in DevTools. In M-79, Chrome marked >>>>>>>>>> affected >>>>>>>>>> sites as "Not Secure". In M-81, Chrome will show a full page >>>>>>>>>> interstitial >>>>>>>>>> warning on sites that do not support TLS 1.2 or higher. Will >>>>>>>>>> this feature be supported on all six Blink platforms (Windows, Mac, >>>>>>>>>> Linux, >>>>>>>>>> Chrome OS, Android, and Android WebView)? Yes Windows, Mac, >>>>>>>>>> Linux, Chrome OS, and Android will show an interstitial warning. >>>>>>>>>> Android >>>>>>>>>> WebView will see this as an SSL error, but SSL errors are handled by >>>>>>>>>> the >>>>>>>>>> embedder (the default behavior is to cancel the request). Is >>>>>>>>>> this feature fully tested by web-platform-tests >>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>> ? No N/A Link to entry on the Chrome Platform Status >>>>>>>>>> https://chromestatus.com/feature/5759116003770368 >>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46TtB3PPD1YTdQ6MZ4d6QYGXJhcOfb_KPQJ6k0zWdY9gFQ%40mail.gmail.com >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46TtB3PPD1YTdQ6MZ4d6QYGXJhcOfb_KPQJ6k0zWdY9gFQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46TKtSvY-mXt%2BCbS3vXLWTekbG0LMxWJHPt8rOi2au4wAw%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46TKtSvY-mXt%2BCbS3vXLWTekbG0LMxWJHPt8rOi2au4wAw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46T-5wNwJ885YsC2DqORrq_TWzaCAPK-RJok4Hkg%2BCLo_A%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46T-5wNwJ885YsC2DqORrq_TWzaCAPK-RJok4Hkg%2BCLo_A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALjhuicO_peGqxL1j4uFSGXmn9tdk-nvJSZDfEp%3Dve5MmGQQrA%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALjhuicO_peGqxL1j4uFSGXmn9tdk-nvJSZDfEp%3Dve5MmGQQrA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "net-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKXHy%3DfVcy7OkJ2rHq7jT%2B83nWozbY86%2BnYPK1pZT%2BSOEBwTRg%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKXHy%3DfVcy7OkJ2rHq7jT%2B83nWozbY86%2BnYPK1pZT%2BSOEBwTRg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEiDZWdgk9zoGyqbQ_qPgdEi0tJGz6%3DQAyFLdpUCi6ZH7A%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEiDZWdgk9zoGyqbQ_qPgdEi0tJGz6%3DQAyFLdpUCi6ZH7A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46S4yPDEWbGQWnXbe2ZYPKeY9hHdvHVU2tYqRi10kC-G%3DQ%40mail.gmail.com.
