Apple disables insecure TLS in future iOS and macOS

Apple has deprecated the insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether.

TLS is a secure communication protocol designed to protect users from eavesdropping, tampering, and message forgery while accessing and exchanging information over an Internet connection using client/server applications.

The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years (with TLS 1.0 first defined in 1999 and TLS 1.1 in 2006).

The Internet Engineering Task Force (IETF) approved TLS 1.3, the next major version of the TLS protocol, in March 2018, after four years of discussions and 28 protocol drafts.

TLS 1.0/1.1 deprecation update

“As part of ongoing efforts to modernize platforms, and to improve security and reliability, TLS 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF) as of March 25, 2021,” Apple said.

“These versions have been deprecated on Apple platforms as of iOS 15, iPadOS 15, macOS 12, watchOS 8, and tvOS 15, and support will be removed in future releases.”

The company advised developers whose apps still use the legacy TLS protocols to begin planning for a transition to TLS 1.2 or higher in the near future.

For apps using the App Transport Security (ATS) networking security feature on all connections (enabled by default for apps linked against iOS 9.0 or macOS 10.11 SDKs or later), which requires that all connections are secured with reliable TLS certificates and ciphers, no action is required.

Apple recommends switching directly to TLS 1.3 as it is a faster and more secure protocol than TLS 1.2 by adding support to the latest TLS version and removing these deprecated Security.framework symbols from apps:

Ongoing effort to move away from outdated traffic encryption protocols

Apple’s update follows a joint announcement from Microsoft, Google, Apple, and Mozilla from October 2018, saying that the four organizations will start retiring insecure TLS protocols starting with the first half of 2020.

In August 2020, Microsoft enabled TLS 1.3 by default in the latest Windows 10 Insider builds.

“TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible,” Microsoft said.

In January, the NSA shared guidance on detecting and replacing outdated Transport Layer Security (TLS) protocol versions with up-to-date and secure variants.

“Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks,” the NSA said.

“Attackers can exploit outdated transport layer security (TLS) protocol configurations to gain access to sensitive data with very few skills required.”

Source: BleepingComputer