We are all familiar with news stories exposing scary-sounding Internet security vulnerabilities, such as Meltdown and Spectre, or ingenious new ways that hackers and scammers can steal your data online.
To say security best practice is a movable feast is somewhat of an understatement. As an Internet user, it can be difficult to know what you can do to protect yourself. But one great thing that every user can do is ensure they’re using a modern, up to date browser.
The importance of updating browsers
Not that long ago, browsers would be updated infrequently in major releases, and sometimes only with a new operating system (OS). But in the fast-paced world of today, this is no longer appropriate.
Because the likes of Chrome, Firefox and Microsoft Edge browsers all self-update, if you use one of these browsers, you’re very likely to be running the most recent version. Yay! Unfortunately, some estimates suggest that more than 10% of internet users are still using old, insecure browsers. This is a cause for concern when it comes to data security.
TLS protocols (and dropping the 1.0)
There are a number of protocols used to encrypt internet traffic and the oldest still in use, Transport Layer Security version 1 (TLS 1.0), was originally defined in 1999. As the internet has evolved, this has been found to be insecure by current standards. The most recent version of TLS is version 1.3, which was released in 2018.
PCI Security Standards Council deadline
The PCI Security Standards Council are a recognised authority on security standards for account data protection. One of their most important standards (as far as the internet is concerned) is their Data Security Standard (DSS).
While the PCI DSS is primarily concerned with the storage, transmission, and usage of payment card information, it’s widely used as a standard for Internet security best practice.
Some time ago, the PCI Security Standards Council set a deadline for dropping support for the insecure encryption protocol TLS 1.0. All organisations who handle card payments and want to remain compliant, must not support this protocol after 30th June 2018. It has also recommended that support for TLS 1.1 be dropped, but this is not a requirement.
TLS 1.0 and 1.1 deprecation plans
Dropping support for TLS 1.0 and 1.1 was planned by many organisations to take place in the summer of 2018. These plans were delayed due to a significant minority of users not being able or refusing to upgrade. At the start of 2020, these plans were halted again, this time due to coronavirus.
However, more than 2 years on, it’s finally time to make the internet more secure! In October 2020, Microsoft restarted its deprecation of TLS 1.0 and 1.1 for the Office 365 service. Other large Internet service providers are following suit. It is likely that by the end of 2020, the Internet will be largely unusable with an old browser.
How will this affect me?
If you’re using a modern browser such as Chrome, Firefox or Edge, it should not affect you at all. Your experience of using the internet will continue as normal. However, if, for example, you’re still using Internet Explorer 10 you will start to see this message a lot while browsing the internet:
What are myhrtoolkit doing about TLS deprecation?
Back in the summer of 2018, we implemented an alert system to warn users if they were using an insecure browser. As of 15th December 2020, we’re dropping support completely for TLS 1.0 and 1.1.
If you’re using a browser that’s incapable of using modern encryption, for your security and that of every other user, you will not be able to use any myhrtoolkit services.
Updating your browser
We understand that for some users, updating their browser may not be simple or quick. Some may not even know how to tell if their browser is old. More information about our tools to support customers spot users with insecure browsers, you can read our support article on TLS and myhrtoolkit.
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.